[cabfpub] Ballot 153 – Short-Lived Certificates

Eddy Nigg eddy_nigg at startcom.org
Fri Oct 30 21:02:15 UTC 2015

On 10/30/2015 07:35 PM, kirk_hall at trendmicro.com wrote:
> Trend Micro opposes Ballot 153 – Short-Lived Certificates for the 
> following reasons.  The ballot is a major step backward for user security.

I think the solution for "short-lived" certificates lies with the 
browser vendors and them only - they may decide if and when they want to 
check revocation information and may ignore OCSP for certificates that 
will expire within X time. And of course take the necessary risks on 
behalf of their users.

For the record, this ballot improves previous proposals as it offers CRL 
DP in the certificates, it could be fine-tuned further by requiring that 
the CRL must be as well short-lived. Such certificates could use a 
different CRL DP than others with a longer validity, but it would have 
to be better defined in the ballot.

And obviously CRLs will not help in case a CA has lost control over 
current and future certificates (which may have been issued with future 
dates), basically we would be back to the same scenario as with OCSP 
without "unknown" responses.

Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151030/ec99a6ea/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4313 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151030/ec99a6ea/attachment-0001.p7s>

More information about the Public mailing list