[cabfpub] Pre-Ballot - Short-Life Certificates
Eddy Nigg
eddy_nigg at startcom.org
Fri Oct 31 21:55:29 UTC 2014
On 10/31/2014 07:09 PM, Jeremy Rowley wrote:
> 7) Short-lived certs provide a limited hard-fail since the expiration message for expired certs is more visible than the message received where revocation information is unavailable
I don't agree with this entirely - a working revocation BLOCKS a visitor
to the site usually, whereas an expiration notice is not only clicked
away, from the logic of a visitor it's "just" an expiration. Meaning
that this site had a valid certificate and just failed to renew or whatever.
In my opinion browser would have to implement a similar logic as with
revocations when a short-lived certificate is expired in order to be
effective. And I highly doubt that neither CAs nor browser wish to do that.
> 8) Browsers don't need to add the certs to their CRLSets or do a call to the CA to retrieve revocation information.
With the above logic, this isn't necessarily true if a key of such
certificates gets compromised. Such a key could be potentially used for
hundreds of certificates, depending on what the guidelines will be for
reuse of such keys.
If the weakness of how browsers handle expired certificates will be
abused with such certificates, they might have to be included in a CRL.
> 9) Short-lived certs provide shorter revocation windows than currently offered under the BRs.
Please note that the BR allows for a maximum period. CAs might use
shorter periods in addition that certain browsers don't hold OCSP
responses for more than 24 hours.
--
Regards
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141031/1d21eea8/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4313 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141031/1d21eea8/attachment-0001.p7s>
More information about the Public
mailing list