[cabfpub] Short-Lived Certs - the return
Jeremy Rowley
jeremy.rowley at digicert.com
Tue Mar 10 18:14:38 UTC 2015
The holidays of 2014 apparently caused us to stop discussing short lived certs. I'd like to resurrect the topic and move forward with the proposal.
The modifications required to the BRs are simple:
1. Add a Definition for Short-Lived Certificate:
Short-Lived Certificate: An end-entity Certificate containing a validity period of 72 hours or less and where the Certificate is issued by the CA within 24-hours after the nonBefore Date listed in the Certificate.
2. Amend Section 3.1.5:
"The CA SHALL revoke Certificate, other than a Short-Lived Certificate, within 24 hours if one or more of the following occur:"
3. Amend Appendix B(3)(C):
"With the exception of (i) Short-Lived Certificates or (ii) stapling as noted below, this extension MUST be present. It MUST NOT be marked critical, and it MUST contain the HTTP URL of the Issuing CA's OCSP responder (accessMethod = 1.3.6.1.5.5.7.48.1). It SHOULD also contain the HTTP URL of the Issuing CA's certificate (accessMethod = 1.3.6.1.5.5.7.48.2). See Section 13.2.1 for details. The HTTP URL of the Issuing CA's OCSP responder MAY be omitted provided that the Subscriber "staples" OCSP responses for the Certificate in its TLS handshakes [RFC4366]."
At this point, I think I'm looking for suggestions on improving the ballot and endorsers.
Jeremy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150310/dd4cee53/attachment-0002.html>
More information about the Public
mailing list