[cabfpub] Short-Lived Certs - the return

Eddy Nigg eddy_nigg at startcom.org
Thu Jun 11 21:29:22 UTC 2015

On 06/11/2015 08:13 PM, Ryan Sleevi wrote:
> On Thu, Jun 11, 2015 at 10:02 AM, Eddy Nigg <eddy_nigg at startcom.org 
> <mailto:eddy_nigg at startcom.org>> wrote:
>     Well, I wasn't talking about stapling really :-)
>     But stapling is supported currently by only 25% of web sites
>     serving certificates, but even here I believe servers can take a
>     more conservative approach and update the OCSP every X hours or
>     so. I'd recommend it in any case.
> Sure, but good security practices don't affect the minimum security. 
> That's been the point repeatedly in these discussions. The question 
> has been "How long can an attacker use a bad certificate" and "How 
> quickly will clients notice" - and an attacker that can staple a 
> response for 10 days (since stapling is widely supported in the major 
> browsers) is an attacker that can use that bad certificate.

You mean the attacker will use stapling in that case. Might make sense 
in which case I believe we might also want to review the current 
requirements. We don't use 10 days and most likely most major CAs don't 
(top ten accounting for 97% or so of all certs). In which case we also 
might find support to reduce this time to less.

It doesn't change my stance though that certificates should have always 
revocation pointers and software vendors may implement their own criteria.

Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150612/469d6727/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4313 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150612/469d6727/attachment-0001.p7s>

More information about the Public mailing list