[cabfpub] Short-lived certs

Ryan Sleevi sleevi at google.com
Mon Oct 9 16:05:10 UTC 2017


Sure, but this didn't answer my questions, and I'm guessing was just a
quick reply.

I questioned both the motive and the problem statement, and it didn't seem
like there were good answers. I'm hoping you could revisit, and we can see
how much of a problem this is in actual practice.

On Thu, Oct 5, 2017 at 3:23 AM, Jeremy Rowley <jeremy.rowley at digicert.com>
wrote:

> For a short-lived cert that is truly short-lived, you never deliver a
> meaningful response.  Of course, there’s always an initial “good” response
> for an initially issued cert, but that only tells me it was issued.  By the
> time I sign a new response, the cert is expired.
>
>
>
> I’m not sure why people are requesting 15 min or 8 hour certs. We can do
> them, but then we need to sign an OCSP response as well. Requiring OCSP
> on these certs doesn’t mean that the certs don’t exist.
>
>
>
> *From:* Ryan Sleevi [mailto:sleevi at google.com]
> *Sent:* Wednesday, October 4, 2017 11:58 PM
> *To:* Jeremy Rowley <jeremy.rowley at digicert.com>
> *Cc:* CA/Browser Forum Public Discussion List <public at cabforum.org>
> *Subject:* Re: [cabfpub] Short-lived certs
>
>
>
>
>
>
>
> On Wed, Oct 4, 2017 at 10:54 PM, Jeremy Rowley <jeremy.rowley at digicert.com>
> wrote:
>
>
> Pre-signing OCSP responses for these certs is a waste of time as they’ll
> expire before the OCSP is ever delivered.
>
>
>
> Delivered to who? Are you saying you deliver certificates before you've
> produced OSP responses?
>
>    - If we pre-sign an OCSP response for a 15 min cert, the OCSP is
>    rarely used.
>
>
>
> But that's different than what you said - you indicated that 15 minutes is
> because the OCSP is delivered, and I was trying to understand delivered to
> who/what <https://teams.googleplex.com/u/what>?
>
>
>
>
>    -
>
> When you are signing certs daily, even signing that first OCSP response
> eats up lots of processing power without providing any benefit to the
> user.  Removing OCSP for short-lived certs eliminates an external call to
> the CA
>
>
>
> Stapling
>
>    - These are usually on a home network. Getting an OCSP response to
>    staple through the firewall usually doesn’t happen
>
> Can you explain how you deliver a cert, but cannot deliver an OCSP
> response for said cert?
>
> -                      Clock skew is a problem. That is the assumption.
> But that’s not really relevant to the OCSP issue right? That’s more an
> issue with certificate lifecycles. My contention is that OCSP provides
> little value in the context of a three day, or less, cert.
>
> Well, your stated objective is to support lifetimes for as low as 15
> minutes. If this objective is not reasonable - or is detrimental - then the
> need to not include revocation information no longer there, right? Or are
> there other reasons that weren't enumerated?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171009/efc04d8d/attachment-0003.html>


More information about the Public mailing list