[cabfpub] Pre-Ballot - Short-Life Certificates

Eddy Nigg eddy_nigg at startcom.org
Fri Oct 31 14:55:29 MST 2014 

On 10/31/2014 07:09 PM, Jeremy Rowley wrote:
> 7) Short-lived certs provide a limited hard-fail since the expiration message for expired certs is more visible than the message received where revocation information is unavailable

I don't agree with this entirely - a working revocation BLOCKS a visitor 
to the site usually, whereas an expiration notice is not only clicked 
away, from the logic of a visitor it's "just" an expiration. Meaning 
that this site had a valid certificate and just failed to renew or whatever.

In my opinion browser would have to implement a similar logic as with 
revocations when a short-lived certificate is expired in order to be 
effective. And I highly doubt that neither CAs nor browser wish to do that.

> 8) Browsers don't need to add the certs to their CRLSets or do a call to the CA to retrieve revocation information.

With the above logic, this isn't necessarily true if a key of such 
certificates gets compromised. Such a key could be potentially used for 
hundreds of certificates, depending on what the guidelines will be for 
reuse of such keys.

If the weakness of how browsers handle expired certificates will be 
abused with such certificates, they might have to be included in a CRL.

> 9) Short-lived certs provide shorter revocation windows than currently offered under the BRs.

Please note that the BR allows for a maximum period. CAs might use 
shorter periods in addition that certain browsers don't hold OCSP 
responses for more than 24 hours.

-- 
Regards
Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141031/1d21eea8/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4313 bytes
Desc: S/MIME Cryptographic Signature
Url : https://cabforum.org/pipermail/public/attachments/20141031/1d21eea8/attachment.bin

More information about the Public mailing list