[cabfpub] Pre-Ballot - Short-Life Certificates

Eddy Nigg eddy_nigg at startcom.org
Fri Oct 31 22:07:17 UTC 2014

On 10/31/2014 11:59 PM, Gervase Markham wrote:
> There is certainly the option of treating expired short-lived certs 
> differently in new browsers, and I suggested that we might do that in 
> the discussion in Beijing. But that would be icing on the cake. 

In my opinion very important!

> Would you prefer it if the guidelines said that each successive 
> short-lived cert had to use a different key?

I would see an even higher risk if such keys would have to be exchanged 
on a daily basis. Or pre-created and submitted to the CA (as CSR) and 
stored somewhere.

I'm not really a supporter of this idea, but it's obvious that each way 
has its own risks. I see more risks for such (short-lived) certificates 
in general, no matter which way you chose (regarding reuse of the key or 

Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141101/ef118008/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4313 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141101/ef118008/attachment-0001.p7s>

More information about the Public mailing list