[cabfpub] Pre-Ballot - Short-Life Certificates

Tim Hollebeek THollebeek at trustwave.com
Mon Oct 27 14:14:38 UTC 2014

What does not having the revocation information in the cert actually solve?

Browsers/Validators are free to implement logic along the lines of:

if (expirationDate - issueDate < 2 days):
    dontBotherWithOnlineStatusChecks = true

Requiring the revocation information might actually even be useful in the event that a CA accidentally issues what were intended to be short-life certificates with long lifetimes, or issues a large number of short-life certificates for some future date ...  I wish I was confident neither of those could happen, but I'm not ...


-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy.Rowley
Sent: Friday, October 24, 2014 1:31 PM
To: public at cabforum.org
Subject: Re: [cabfpub] Pre-Ballot - Short-Life Certificates

As Gerv and Ryan mentioned, CAs are still revoking the certs.  In this case, the CA revokes the cert by waiting for 48 hours until the certificate expires.  They're still doing their job.  It's actually better than OCSP as defined in the BRs since that has a 10 day validity period.  Revocation pointed do protect users, but so does a short lived cert.

DigiCert supports this change and would endorse a ballot to permit short validity periods as an alternative form of revocation.


On 10/24/2014 10:01 AM, Rich Smith wrote:
> I don't think it is OK, but as long as the revocation pointers are
> there, the CA CAN revoke a certificate, which is part of their job.
> The CA has no say in what the browser does with that information.
> That's your job, and your responsibility.  Your argument is that short
> lived w/out revocation pointers is equal to long lived with revocation
> pointers.  I maintain that that is only true under the narrow
> circumstances outlined earlier and that there are other circumstances
> under which revocation pointers DO in fact protect users, if
> revocation is checked.  But again revocation CHECKING is your job.
> Revocation is the CAs job and the CA can't do that job if no pointers exist.
> -Rich
> On 10/24/2014 9:52 AM, Gervase Markham wrote:
>> Now every browser doesn't check revocation for short-life certs. If
>> this is OK by you, why are you not OK with us achieving the same end
>> more quickly by removing the revocation pointers?
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> http://scanmail.trustwave.com/?c=4062&d=5YzK1DShRqNLOm0u5HQGxyK3KMktVH
> CYK_cXg2C9Yg&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmailman%2flistinfo%2
> fpublic
> .

Public mailing list
Public at cabforum.org


This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

More information about the Public mailing list