[cabfpub] Short-Lived Certs - the return

Phillip Hallam-Baker philliph at comodo.com
Mon Jun 8 17:53:20 UTC 2015

If you are a CA then you have to provision OCSP expecting most of your customers will download every 24 hours. In fact this is true whether or not you sign less frequently. 

The reason for making the time limit lax for OCSP was much more on the client side I think. In particular the browser pushback against doing OCSP hard fail at all.

With stapling and short lived certs, these concerns do not apply and I think we do better to draw the time tightly which currently means a 72 hour validity window if we are going to try for a 24 hour window due to the clock skew issues.

I would like to try to close that window down further in the future though. In fact I would like us to get the window below 60 minutes by 2020 which is quite practical with a combination of short lived certs and compressed CRLs.

More information about the Public mailing list