[cabfpub] Short-lived certs
Ryan Sleevi
sleevi at google.com
Thu Oct 5 05:36:12 UTC 2017
Jeremy,
Could you supply data to support your claim that "internet connected
devices increasingly use trusted roots for connecting to smartphones"?
On Wed, Oct 4, 2017 at 8:21 PM, Jeremy Rowley via Public <
public at cabforum.org> wrote:
> Pre-signing OCSP responses for these certs is a waste of time as they’ll
> expire before the OCSP is ever delivered.
>
Delivered to who? Are you saying you deliver certificates before you've
produced OSP responses?
> When you are signing certs daily, even signing that first OCSP response
> eats up lots of processing power without providing any benefit to the
> user. Removing OCSP for short-lived certs eliminates an external call to
> the CA
>
Stapling
> and makes the certificate smaller, both essential in device
> performance. Plus, Mozilla already supports not checking revocation for
> these certs, meaning the revocation info is completely useless in at least
> one browser.
>
>
>
> Any takers on supporting this?
>
>
>
Do you have any new data to suggest clock skew isn't a significant issue,
and that such certificates would represent compatibility problems for the
ecosystem if deployed? Is the assumption that it's the sites and users'
fault/responsibility, despite the overall ecosystem widespread use could
cause?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171004/a9e0ef06/attachment-0003.html>
More information about the Public
mailing list