[cabfpub] Short-Lived Certs - the return
Eddy Nigg
eddy_nigg at startcom.org
Thu Jun 11 08:57:17 MST 2015
On 06/11/2015 02:54 PM, Doug Beattie wrote:
> While Revocation can take place immediately, the BRs only say that you
> must update your cert status every 10 days.
That's correct when nothing changes, which however is not correct when a
certificate must be revoked. It's in that case no max 10 days, but
rather fairly immediately.
Also most browsers that check OCSP do that on a daily basis and not
after 10 days. So your argument is not really working and the reason why
I'm not much in favor.
> The same is true with short validity period certificates;
>
Again, I think browsers can handle that according to their
consideration. Some browsers don't check OCSP, so do only then a stapled
response is received etc. etc.
My recommendation for browsers would be the omit revocation checking if
the expiration of the certificate is less than 24 hours.
> This ballot will enable browsers and other applications that process
> SSL certificates to start considering if/how they want to handle them.
>
No, they can do that already today without any ballot. But providing an
exception for omitting OCSP/CRLs opens a can of bees....I don't want to
go there :-)
--
Regards
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20150611/07d1c74d/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4313 bytes
Desc: S/MIME Cryptographic Signature
Url : https://cabforum.org/pipermail/public/attachments/20150611/07d1c74d/attachment-0001.bin
More information about the Public
mailing list