[cabfpub] Short-lived certs

Tim Hollebeek THollebeek at trustwave.com
Thu Oct 5 14:48:53 MST 2017


Are 15 minute certs a good idea in a CT world?

-Tim

From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley via Public
Sent: Thursday, October 5, 2017 3:23 PM
To: Ryan Sleevi <sleevi at google.com>
Cc: CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] Short-lived certs

For a short-lived cert that is truly short-lived, you never deliver a meaningful response.  Of course, there’s always an initial “good” response for an initially issued cert, but that only tells me it was issued.  By the time I sign a new response, the cert is expired.

I’m not sure why people are requesting 15 min or 8 hour certs. We can do them, but then we need to sign an OCSP response as well. Requiring OCSP on these certs doesn’t mean that the certs don’t exist.

From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Wednesday, October 4, 2017 11:58 PM
To: Jeremy Rowley <jeremy.rowley at digicert.com<mailto:jeremy.rowley at digicert.com>>
Cc: CA/Browser Forum Public Discussion List <public at cabforum.org<mailto:public at cabforum.org>>
Subject: Re: [cabfpub] Short-lived certs



On Wed, Oct 4, 2017 at 10:54 PM, Jeremy Rowley <jeremy.rowley at digicert.com<mailto:jeremy.rowley at digicert.com>> wrote:

Pre-signing OCSP responses for these certs is a waste of time as they’ll expire before the OCSP is ever delivered.

Delivered to who? Are you saying you deliver certificates before you've produced OSP responses?

  *   If we pre-sign an OCSP response for a 15 min cert, the OCSP is rarely used.

But that's different than what you said - you indicated that 15 minutes is because the OCSP is delivered, and I was trying to understand delivered to who/what?


  *
When you are signing certs daily, even signing that first OCSP response eats up lots of processing power without providing any benefit to the user.  Removing OCSP for short-lived certs eliminates an external call to the CA

Stapling

  *   These are usually on a home network. Getting an OCSP response to staple through the firewall usually doesn’t happen
Can you explain how you deliver a cert, but cannot deliver an OCSP response for said cert?

-                      Clock skew is a problem. That is the assumption.  But that’s not really relevant to the OCSP issue right? That’s more an issue with certificate lifecycles. My contention is that OCSP provides little value in the context of a three day, or less, cert.
Well, your stated objective is to support lifetimes for as low as 15 minutes. If this objective is not reasonable - or is detrimental - then the need to not include revocation information no longer there, right? Or are there other reasons that weren't enumerated?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20171005/e2d32062/attachment-0001.html>


More information about the Public mailing list