[cabfpub] Short-lived certs
sleevi at google.com
Wed Oct 4 22:36:12 MST 2017
Could you supply data to support your claim that "internet connected
devices increasingly use trusted roots for connecting to smartphones"?
On Wed, Oct 4, 2017 at 8:21 PM, Jeremy Rowley via Public <
public at cabforum.org> wrote:
> Pre-signing OCSP responses for these certs is a waste of time as they’ll
> expire before the OCSP is ever delivered.
Delivered to who? Are you saying you deliver certificates before you've
produced OSP responses?
> When you are signing certs daily, even signing that first OCSP response
> eats up lots of processing power without providing any benefit to the
> user. Removing OCSP for short-lived certs eliminates an external call to
> the CA
> and makes the certificate smaller, both essential in device
> performance. Plus, Mozilla already supports not checking revocation for
> these certs, meaning the revocation info is completely useless in at least
> one browser.
> Any takers on supporting this?
Do you have any new data to suggest clock skew isn't a significant issue,
and that such certificates would represent compatibility problems for the
ecosystem if deployed? Is the assumption that it's the sites and users'
fault/responsibility, despite the overall ecosystem widespread use could
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public