[cabfpub] Pre-Ballot - Short-Life Certificates
Rich Smith
richard.smith at comodo.com
Fri Oct 24 16:01:36 UTC 2014
I don't think it is OK, but as long as the revocation pointers are
there, the CA CAN revoke a certificate, which is part of their job. The
CA has no say in what the browser does with that information. That's
your job, and your responsibility. Your argument is that short lived
w/out revocation pointers is equal to long lived with revocation
pointers. I maintain that that is only true under the narrow
circumstances outlined earlier and that there are other circumstances
under which revocation pointers DO in fact protect users, if revocation
is checked. But again revocation CHECKING is your job. Revocation is
the CAs job and the CA can't do that job if no pointers exist.
-Rich
On 10/24/2014 9:52 AM, Gervase Markham wrote:
> Now every browser doesn't check revocation for
> short-life certs. If this is OK by you, why are you not OK with us
> achieving the same end more quickly by removing the revocation pointers?
More information about the Public
mailing list