[cabfpub] Short-Lived Certs - the return

Eddy Nigg eddy_nigg at startcom.org
Tue Jun 9 12:37:23 MST 2015


On 06/09/2015 10:26 PM, Doug Beattie wrote:
> Browsers can check, or not, the status of SSL certificates today and 
> they can also change the rules for shorter validity period 
> certificates as they see fit, that is outside the scope of the BRs.

Right! I'd prefer to keep it this way, the same way we can't mandate 
browsers to perform any sort of

> The purpose of this discussion/ballot is to enable the issuance of SSL 
> certificates and not require the CA to set up revocation services.

Well, that's the problem I basically personally have with it.

> By selecting a sufficiently short validity period we can "revoke" 
> certificates more quickly than is currently mandated.

I don't think so, rather the opposite. Revocation can take effect 
immediately for anybody that doesn't have a cached result already in the 
software which means that the minute a revocation response is set to 
revoked, a compromised certificate becomes (commercially) less interesting.

Of course for specifically targeted attacks this is no true, which 
however requires quite some controls over the victims network. It's 
still a lot more difficult than with a certificate without any 
revocation pointers.

> Browsers might also change their expired certificate warning to that 
> of a revoked certificate.

I believe that's a different discussion altogether.

-- 
Regards
Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20150609/7e3dce64/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4313 bytes
Desc: S/MIME Cryptographic Signature
Url : https://cabforum.org/pipermail/public/attachments/20150609/7e3dce64/attachment-0001.bin 


More information about the Public mailing list