[cabfpub] Ballot 153 - Short-Lived Certificates

Ryan Sleevi sleevi at google.com
Mon Nov 2 22:52:28 UTC 2015

On Mon, Nov 2, 2015 at 10:04 AM, kirk_hall at trendmicro.com <
kirk_hall at trendmicro.com> wrote:
> Let’s not go backward on the revocation security improvements the Forum
> has made over the past four years.  In fact, we should start ratcheting
> down on the maximum validity period for current OCSP responses, from 4 days
> to maybe 2 days, for greater user security.

While I appreciate this goal, I think there's been some meaningful
discussion about how doing so can harm, rather than help, user security, by
making it increasingly more difficult to make certificates available at
scale (e.g. to grow the use of TLS to 10x what it presently is).

I do appreciate the enthusiasm towards making revocation viable, but let's
also not lose sight of pragmatism in terms of scaling responders and
handling millions of OCSP signatures every two days.

> We can help solve the OCSP response infrastructure problems of both
> browsers and CAs by aggressively promoting stapling and working with server
> makers to turn on stapling by default – that’s the right way to proceed.

As obvious from the minutes of the Zurich/Baden F2F, I certainly feel quite
strongly that there is ample opportunity to promote stapling and work with
server operators. Since this is not a new sentiment to be expressed in the
Forum, do you have suggestions and/or has TrendMicro taken any steps
towards this goal? It feels hollow to say we shouldn't do X, and we should
do Y, if no one is taking actual steps to make Y a reality. Doubly so if
the reasons for not doing X aren't well founded, as Brian Smith separately
addressed on the other thread.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151102/c5dde19f/attachment-0003.html>

More information about the Public mailing list