[cabfpub] Short-Lived Certs - the return

Gervase Markham gerv at mozilla.org
Thu Mar 19 06:19:29 MST 2015


On 19/03/15 04:56, Ryan Sleevi wrote:
> Why 72 hours? Why not the OCSP max age?

My view is that the risk analysis is not equivalent. Sane people may
disagree :-) Also, the documented OCSP max age is not the same thing as
what people use in practice. Several CAs have mentioned that they use
lower numbers. Therefore one could see the higher number as "looser
security than we currently have /de facto/".

> The downside of setting such a low number is that you make it
> significantly more risky for issues to arise that prevent issuance,
> making it much less appealing to use short-lived certs.

I see that as a risk. My view was that if CAs have servers which go down
for > 24 hours, I'd worry about their OCSP servers, never mind
short-lived cert servers. Also, this seems like something the market
could fix.

Gerv


More information about the Public mailing list