[cabfpub] Short-lived certs

Jeremy Rowley jeremy.rowley at digicert.com
Wed Oct 4 20:21:41 MST 2017


I'd like to revisit short-lived certificates and see if there is an interest
in adopting the previous proposal to permit removal of OCSP information from
certificates with a 3 day or shorter validation period. I think there's been
enough change over the past few years to warrant a fresh look. In
particular, internet connected devices increasingly use trusted roots for
connecting to smart phones.  Some of these have certificate validity periods
as short as 15 minutes.  Pre-signing OCSP responses for these certs is a
waste of time as they'll expire before the OCSP is ever delivered. When you
are signing certs daily, even signing that first OCSP response eats up lots
of processing power without providing any benefit to the user.  Removing
OCSP for short-lived certs eliminates an external call to the CA and makes
the certificate smaller,   both essential in device performance.  Plus,
Mozilla already supports not checking revocation for these certs, meaning
the revocation info is completely useless in at least one browser.  

 

Any takers on supporting this?

 

Jeremy

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20171005/ce6526d3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4984 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20171005/ce6526d3/attachment.p7s>


More information about the Public mailing list