[cabfpub] Pre-Ballot - Short-Life Certificates

Jeremy.Rowley jeremy.rowley at digicert.com
Fri Oct 24 10:30:45 MST 2014


As Gerv and Ryan mentioned, CAs are still revoking the certs.  In this 
case, the CA revokes the cert by waiting for 48 hours until the 
certificate expires.  They're still doing their job.  It's actually 
better than OCSP as defined in the BRs since that has a 10 day validity 
period.  Revocation pointed do protect users, but so does a short lived 
cert.

DigiCert supports this change and would endorse a ballot to permit short 
validity periods as an alternative form of revocation.

Jeremy

On 10/24/2014 10:01 AM, Rich Smith wrote:
> I don't think it is OK, but as long as the revocation pointers are
> there, the CA CAN revoke a certificate, which is part of their job. The
> CA has no say in what the browser does with that information. That's
> your job, and your responsibility.  Your argument is that short lived
> w/out revocation pointers is equal to long lived with revocation
> pointers.  I maintain that that is only true under the narrow
> circumstances outlined earlier and that there are other circumstances
> under which revocation pointers DO in fact protect users, if revocation
> is checked.  But again revocation CHECKING is your job.  Revocation is
> the CAs job and the CA can't do that job if no pointers exist.
>
> -Rich
>
> On 10/24/2014 9:52 AM, Gervase Markham wrote:
>> Now every browser doesn't check revocation for
>> short-life certs. If this is OK by you, why are you not OK with us
>> achieving the same end more quickly by removing the revocation pointers?
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> .
>



More information about the Public mailing list