[cabfpub] Short-Lived Certs - the return

Eddy Nigg eddy_nigg at startcom.org
Thu Mar 19 15:53:17 UTC 2015

On 03/19/2015 03:19 PM, Gervase Markham wrote:
> On 19/03/15 04:56, Ryan Sleevi wrote:
>> Why 72 hours? Why not the OCSP max age?
> My view is that the risk analysis is not equivalent. Sane people may
> disagree :-) Also, the documented OCSP max age is not the same thing as
> what people use in practice. Several CAs have mentioned that they use
> lower numbers. Therefore one could see the higher number as "looser
> security than we currently have /de facto/".

While probably true, it's actually even less relevant because it really 
depends on what browsers actually do.

And here it looks much different, as an example your Firefox reloads it 
every 24  hours. Not sure about others like IE and Safari, but it could 
be also set to a fixed time instead of what the OCSP advertises as max age.

Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150319/9a6fc032/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4313 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150319/9a6fc032/attachment-0001.p7s>

More information about the Public mailing list