[cabfpub] Short-Lived Certs - the return

Eddy Nigg eddy_nigg at startcom.org
Tue Jun 9 11:14:31 UTC 2015


On 06/05/2015 11:06 PM, Doug Beattie wrote:
> Given both OCSP and CRL max validity are set at 10 days, I'd recommend 
> we allow SSL certificates to omit OCSP and/or CRL information if they 
> are 10 days or less in duration, that is currently the max lag time a 
> relying party can go without an update (most CAs actual controls are 
> much shorter than this, and they can also have shorter limits on their 
> "short validity SSL certificates")

I recommend to leave this to the implementations of the browsers, e.g. 
browsers define how frequently they want to check OCSP and CRLs and they 
can decide not to check certificates that will expire in less than X time.

-- 
Regards
Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150609/29aabc18/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4313 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150609/29aabc18/attachment-0001.p7s>


More information about the Public mailing list