[cabfpub] [PROMO]Re: Short-Lived Certificate Ballot

Rob Stradling rob.stradling at comodo.com
Sun Nov 1 20:18:03 UTC 2015


On 31/10/15 19:44, Brian Smith wrote:
<snip>
>In fact, because the maximum validity
> period of a short-lived certificate is shorter than the maximum lifetime
> of an OCSP response, short-lived certificates are actually a *safer*
> form of revocation than a stapled OCSP response.

Do browsers treat expiration as harshly as revocation yet (i.e. 
completely block access to the site, rather than warn the user but 
permit them to access the site anyway)?

If not, then I half agree (because staleness matters) and half disagree 
(because protecting users matters) that they're "a *safer* form of 
revocation".

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online



More information about the Public mailing list