[cabfpub] Short lived certificates

Jeremy Rowley jeremy.rowley at digicert.com
Tue Oct 6 01:56:20 MST 2015


This is the language for tomorrow’s discussion on short-lived certificates. I think we’ve exhausted both sides of permitting v. disallowing short-lived certs so instead of arguing over that, I’d rather see if we can find language that people feel provide an appropriate safe-guard while still permitting the advantages given by short-lived certs. One thing we could do is require CRLs (instead of OCSP) for short-lived certs.  This won’t expand CRL size almost at all because they will pretty much fall out of the CRLs by the time the CRL issues (24 hours to issue the CRL means only one CRL before they are removed again).

I’ll be looking for endorsers tomorrow.

….

4.9.10. On‐line Revocation Checking Requirements

Effective 1 January 2013, the CA SHALL support an OCSP capability using the GET method for Certificates issued in accordance with these Requirements.

For the status of Subscriber Certificates with a certificate expiration that is within 48 hours of the certificate’s issuance: The CA SHALL update information provided via an Online Certificate Status Protocol at least every four days. OCSP responses from this service MUST have a maximum expiration time of ten days.

7.1.2.3. Subscriber Certificate
…
c. authorityInformationAccess With the exception of stapling and  certificates that expire within 48 hours of the certificate’s issuance, which is noted below, this extension MUST be present. It MUST NOT be marked critical, and it MUST contain the HTTP URL of the Issuing CA’s OCSP responder (accessMethod = 1.3.6.1.5.5.7.48.1). It SHOULD also contain the HTTP URL of the Issuing CA’s certificate (accessMethod = 1.3.6.1.5.5.7.48.2).

The HTTP URL of the Issuing CA’s OCSP responder MAY be omitted provided that the certificate expires within 48 hours of the certificate’s issuance or Subscriber “staples” OCSP responses for the Certificate in its TLS handshakes [RFC4366].

Jeremy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20151006/26e04892/attachment.html 


More information about the Public mailing list