[cabfpub] Ballot 153 – Short-Lived Certificates
Eddy Nigg
eddy_nigg at startcom.org
Fri Oct 30 21:02:15 UTC 2015
On 10/30/2015 07:35 PM, kirk_hall at trendmicro.com wrote:
>
> Trend Micro opposes Ballot 153 – Short-Lived Certificates for the
> following reasons. The ballot is a major step backward for user security.
>
I think the solution for "short-lived" certificates lies with the
browser vendors and them only - they may decide if and when they want to
check revocation information and may ignore OCSP for certificates that
will expire within X time. And of course take the necessary risks on
behalf of their users.
For the record, this ballot improves previous proposals as it offers CRL
DP in the certificates, it could be fine-tuned further by requiring that
the CRL must be as well short-lived. Such certificates could use a
different CRL DP than others with a longer validity, but it would have
to be better defined in the ballot.
And obviously CRLs will not help in case a CA has lost control over
current and future certificates (which may have been issued with future
dates), basically we would be back to the same scenario as with OCSP
without "unknown" responses.
--
Regards
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151030/ec99a6ea/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4313 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151030/ec99a6ea/attachment-0001.p7s>
More information about the Public
mailing list