[cabfpub] Short-Lived Certs - the return

Eddy Nigg eddy_nigg at startcom.org
Thu Jun 11 15:57:17 UTC 2015

On 06/11/2015 02:54 PM, Doug Beattie wrote:
> While Revocation can take place immediately, the BRs only say that you 
> must update your cert status every 10 days.

That's correct when nothing changes, which however is not correct when a 
certificate must be revoked. It's in that case no max 10 days, but 
rather fairly immediately.

Also most browsers that check OCSP do that on a daily basis and not 
after 10 days. So your argument is not really working and the reason why 
I'm not much in favor.

> The same is true with short validity period certificates;

Again, I think browsers can handle that according to their 
consideration. Some browsers don't check OCSP, so do only then a stapled 
response is received etc. etc.

My recommendation for browsers would be the omit revocation checking if 
the expiration of the certificate is less than 24 hours.

> This ballot will enable browsers and other applications that process 
> SSL certificates to start considering if/how they want to handle them.

No, they can do that already today without any ballot. But providing an 
exception for omitting OCSP/CRLs opens a can of bees....I don't want to 
go there :-)

Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150611/07d1c74d/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4313 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150611/07d1c74d/attachment-0001.p7s>

More information about the Public mailing list