[cabfpub] Pre-Ballot - Short-Life Certificates

Doug Beattie doug.beattie at globalsign.com
Mon Oct 27 20:08:23 UTC 2014

Maybe we should consider shortening the validity period of OCSP responses -
that would narrow down the window of vulnerability and even up the playing

There are so many shaky arguments in this thread it's impossible to apply
any sort of logic about My assertions vs. Yours.  Someone needs to collect
up all the he said/she said statements and apply some probabilities and
logic to this if it's to be of any use at all.

If we're going to create a new type of certificate which is exempt from
revocation checking we need to tag them as special - a new extension or
something so that they can be processed differently.  Merely relying on the
short validity period or the omission of the AIA does not adequately convey
the special rules which browsers may apply when validating it.  There should
be something explicit.  If it's critical, then the AIA can be omitted, if
it's not critical then the AIA needs to be there for anyone other than
Firefox that comes along and tries to validate it.


> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> On Behalf Of Gervase Markham
> Sent: Monday, October 27, 2014 3:33 PM
> To: Tim Hollebeek; public at cabforum.org
> Subject: Re: [cabfpub] Pre-Ballot - Short-Life Certificates
> On 27/10/14 14:14, Tim Hollebeek wrote:
> > What does not having the revocation information in the cert actually
> I've covered this earlier in the thread :-)
> Gerv
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5615 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141027/f2add7c5/attachment-0001.p7s>

More information about the Public mailing list