[cabfpub] Pre-Ballot - Short-Life Certificates

Jeremy.Rowley jeremy.rowley at digicert.com
Fri Oct 24 19:03:05 UTC 2014

Plus, that still ignores the 10 day lifetime for OCSP.  If you have an 
even distribution of hits during that time, the time to revoke is 5 
days.  With Gerv's proposal, the time to revoke is only 2 days - and 
it's a 100% revocation at that time.

Maybe everyone hitting the site is unlikely for mom and pop shops, but 
for someone like Google or Amazon (where people often visit their page 
at least once every 10 days), a two day window is a significant 
improvement. Considering the work required to deploy short-lived certs, 
we probably don't need to worry about rapid adoption by mom and pop sites.


On 10/24/2014 12:42 PM, Ryan Sleevi wrote:
> Rich,
> As has been explained in the past, with OCSP stapling the 'attacker' 
> can replay the gold response to all clients.
> They really are the same security risk profile.
> On Oct 24, 2014 11:37 AM, "Rich Smith" <richard.smith at comodo.com 
> <mailto:richard.smith at comodo.com>> wrote:
>     Only if EVERY user who will hit the site after the certificate is
>     revoked has already visited the site prior to revocation and
>     cached the
>     Good response.  Very unlikely, so a very shaky definition of
>     'better' IMO.
>     On 10/24/2014 1:30 PM, Jeremy.Rowley wrote:
>     > It's actually
>     > better than OCSP as defined in the BRs since that has a 10 day
>     validity
>     > period.
>     _______________________________________________
>     Public mailing list
>     Public at cabforum.org <mailto:Public at cabforum.org>
>     https://cabforum.org/mailman/listinfo/public
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141024/33ef6365/attachment-0003.html>

More information about the Public mailing list