[cabfpub] Short-lived certs

Ryan Sleevi sleevi at google.com
Thu Oct 5 05:36:12 UTC 2017


Could you supply data to support your claim that "internet connected
devices increasingly use trusted roots for connecting to smartphones"?

On Wed, Oct 4, 2017 at 8:21 PM, Jeremy Rowley via Public <
public at cabforum.org> wrote:

> Pre-signing OCSP responses for these certs is a waste of time as they’ll
> expire before the OCSP is ever delivered.

Delivered to who? Are you saying you deliver certificates before you've
produced OSP responses?

> When you are signing certs daily, even signing that first OCSP response
> eats up lots of processing power without providing any benefit to the
> user.  Removing OCSP for short-lived certs eliminates an external call to
> the CA


> and makes the certificate smaller,   both essential in device
> performance.  Plus, Mozilla already supports not checking revocation for
> these certs, meaning the revocation info is completely useless in at least
> one browser.
> Any takers on supporting this?
Do you have any new data to suggest clock skew isn't a significant issue,
and that such certificates would represent compatibility problems for the
ecosystem if deployed? Is the assumption that it's the sites and users'
fault/responsibility, despite the overall ecosystem widespread use could
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171004/a9e0ef06/attachment-0003.html>

More information about the Public mailing list