[cabfpub] Short-Lived Certs - the return
Eddy Nigg
eddy_nigg at startcom.org
Tue Jun 9 12:37:23 MST 2015
On 06/09/2015 10:26 PM, Doug Beattie wrote:
> Browsers can check, or not, the status of SSL certificates today and
> they can also change the rules for shorter validity period
> certificates as they see fit, that is outside the scope of the BRs.
Right! I'd prefer to keep it this way, the same way we can't mandate
browsers to perform any sort of
> The purpose of this discussion/ballot is to enable the issuance of SSL
> certificates and not require the CA to set up revocation services.
Well, that's the problem I basically personally have with it.
> By selecting a sufficiently short validity period we can "revoke"
> certificates more quickly than is currently mandated.
I don't think so, rather the opposite. Revocation can take effect
immediately for anybody that doesn't have a cached result already in the
software which means that the minute a revocation response is set to
revoked, a compromised certificate becomes (commercially) less interesting.
Of course for specifically targeted attacks this is no true, which
however requires quite some controls over the victims network. It's
still a lot more difficult than with a certificate without any
revocation pointers.
> Browsers might also change their expired certificate warning to that
> of a revoked certificate.
I believe that's a different discussion altogether.
--
Regards
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20150609/7e3dce64/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4313 bytes
Desc: S/MIME Cryptographic Signature
Url : https://cabforum.org/pipermail/public/attachments/20150609/7e3dce64/attachment-0001.bin
More information about the Public
mailing list