[cabfpub] Short-lived certs

Jeremy Rowley jeremy.rowley at digicert.com
Thu Oct 5 00:23:00 MST 2017


For a short-lived cert that is truly short-lived, you never deliver a meaningful response.  Of course, there’s always an initial “good” response for an initially issued cert, but that only tells me it was issued.  By the time I sign a new response, the cert is expired.

 

I’m not sure why people are requesting 15 min or 8 hour certs. We can do them, but then we need to sign an OCSP response as well. Requiring OCSP on these certs doesn’t mean that the certs don’t exist. 

 

From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Wednesday, October 4, 2017 11:58 PM
To: Jeremy Rowley <jeremy.rowley at digicert.com>
Cc: CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] Short-lived certs

 

 

 

On Wed, Oct 4, 2017 at 10:54 PM, Jeremy Rowley <jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com> > wrote:


Pre-signing OCSP responses for these certs is a waste of time as they’ll expire before the OCSP is ever delivered. 

 

Delivered to who? Are you saying you deliver certificates before you've produced OSP responses?

*	If we pre-sign an OCSP response for a 15 min cert, the OCSP is rarely used.

 

But that's different than what you said - you indicated that 15 minutes is because the OCSP is delivered, and I was trying to understand delivered to who/what?

 

*	 

When you are signing certs daily, even signing that first OCSP response eats up lots of processing power without providing any benefit to the user.  Removing OCSP for short-lived certs eliminates an external call to the CA 

 

Stapling

*	These are usually on a home network. Getting an OCSP response to staple through the firewall usually doesn’t happen

Can you explain how you deliver a cert, but cannot deliver an OCSP response for said cert?

-                      Clock skew is a problem. That is the assumption.  But that’s not really relevant to the OCSP issue right? That’s more an issue with certificate lifecycles. My contention is that OCSP provides little value in the context of a three day, or less, cert.

Well, your stated objective is to support lifetimes for as low as 15 minutes. If this objective is not reasonable - or is detrimental - then the need to not include revocation information no longer there, right? Or are there other reasons that weren't enumerated?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20171005/15cbebbc/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4984 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20171005/15cbebbc/attachment-0001.p7s>


More information about the Public mailing list