[cabfpub] Pre-Ballot - Short-Life Certificates

Doug Beattie doug.beattie at globalsign.com
Wed Oct 29 18:10:11 UTC 2014


I was under the (apparently false) impression that if certificates did not have AIA information then browsers would display a warning or error message to the user.  You answered Kirk with a statement "no browser I know of today, in its default configuration, will refuse to accept a cert for the reason that it contains no revocation pointers ".  If this is generally believed to be true, then I withdraw my recommendation around tagging these certificates with unique identifiers.

I just find it hard to swallow that all browsers accept SSL certificates without an AIA/CDP as valid.  I acknowledge that they are non-compliant with the BRs and the CA will get a beating.  It just seems irresponsible to accept certs like this as completely valid.  But, apparently (some) browsers don’t use the AIA to check the status of certificates when present either.  Somebody is using AIA because we provide terabytes of data every month to support revocation checking.  

Are we SURE that removing AIA won't adversely impact site operators' customers, whoever they are?


> -----Original Message-----
> From: Gervase Markham [mailto:gerv at mozilla.org]
> Sent: Wednesday, October 29, 2014 11:52 AM
> To: Doug Beattie; 'Tim Hollebeek'; public at cabforum.org
> Subject: Re: [cabfpub] Pre-Ballot - Short-Life Certificates
> On 27/10/14 20:08, Doug Beattie wrote:
> > If we're going to create a new type of certificate which is exempt
> > from revocation checking we need to tag them as special - a new
> > extension or something so that they can be processed differently.
> Why? Legacy browsers will continue to treat them exactly the same whether
> or not you mandate a new marker, and newer browsers which decide to
> adopt special treatment will do so based on their maximum lifetime, not on
> any other criteria.
> Gerv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5615 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141029/bebc2b5c/attachment-0001.p7s>

More information about the Public mailing list