[cabfpub] Pre-Ballot - Short-Life Certificates

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Thu Oct 30 15:48:52 UTC 2014


This may be too deep for me, but what if browsers followed this logic?



Cert issued from (original) trusted root in browser root store (not added by client) => cert must have CDP and AIA to be treated as valid by browser


Cert NOT issued from (original) trusted root in browser root store (so maybe cert from root added by client) => cert is NOT required to have CDP and AIA to be treated as valid by browser





-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham
Sent: Thursday, October 30, 2014 6:29 AM
To: Eddy Nigg
Cc: public at cabforum.org
Subject: Re: [cabfpub] Pre-Ballot - Short-Life Certificates



On 29/10/14 22:12, Eddy Nigg wrote:

> Considering that CAs were required to modify the OCSP responders to

> include Good, Revoked and *Unknown* upon request of the browsers

> mostly (I believe Google was a strong supporter of that), it's rather

> confusing to know that browsers entirely ignore it if the certificates

> have no OCSP (and CRL) pointers, not speaking about checking this

> information when available.



How do you envisage a browser would know which server to ask about the Certificate Status of a particular certificate, if the certificate did not contain a server pointer?



Gerv



_______________________________________________

Public mailing list

Public at cabforum.org<mailto:Public at cabforum.org>

https://cabforum.org/mailman/listinfo/public

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141030/06f50ea1/attachment-0003.html>


More information about the Public mailing list