[cabfpub] Short-Lived Certs - the return
Geoff Keating
geoffk at apple.com
Thu Jun 11 22:24:55 UTC 2015
> On 11 Jun 2015, at 4:54 am, Doug Beattie <doug.beattie at globalsign.com> wrote:
> While Revocation can take place immediately, the BRs only say that you must update your cert status every 10 days.
The BRs say, for subscriber certificates:
4.9.7:
> If the CA publishes a CRL, then the CA SHALL update and reissue CRLs at least once every seven days
4.9.10:
> The CA SHALL update information provided via an Online Certificate Status Protocol at least every four days.
For intermediates, the rule is 24 hours for both CRL and OCSP, if an intermediate is revoked.
It is not clear to me that it’s intended that section 4.9.1.1, which says "The CA SHALL revoke a Certificate within 24 hours” is intended to be overridden by the later sections about updating CRL/OCSP; the later sections might be about the case where no revocations have been made, that is, about the freshness of unchanged ‘good’ responses.
I would say that a well-run CA should be updating OCSP in no more than a few seconds when a certificate is revoked and CRLs within hours.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4103 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150611/ea26335f/attachment-0001.p7s>
More information about the Public
mailing list