[cabfpub] OCSP Stapling and Short-Lived Certificates Proposal
Ryan Sleevi
sleevi at google.com
Sat Mar 23 00:44:11 UTC 2013
On Fri, Mar 22, 2013 at 5:38 PM, Rick Andrews <Rick_Andrews at symantec.com>wrote:
> I’m very much in agreement with Eddy on this.****
>
> ** **
>
> Consider this: If I take the basic argument that you don’t need to check
> revocation on a short lived cert (say, valid for 7 days) because the CA’s
> OCSP responses are also good for 7 days, then I would claim that when SSL
> clients (browsers) see a long-lived SSL certificate, they can skip
> revocation checking if the cert is less than 7 days old. I certainly
> wouldn’t want browsers to do that.****
>
> ** **
>
> -Rick
>
I'm not sure I follow your logic, Rick.
If the browser has obtained a valid OCSP response (eg: via OCSP stapling),
they can skip obtaining fresh revocation information - because to every
compliant implementation, it IS fresh revocation information.
If there's NO revocation information, I don't think the same argument
applies.
The point of the discussion here is not about what the exact behaviour is -
but what the effective security is. And in the case of short-lived certs,
the effective security is identical.
It's certainly reasonable to discuss whether the effective security is
IDEAL, but that's a separate discussion than the one we're having - which
is establishing whether or not the effective security of a short-lived cert
is the same effective security as providing revocation information.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130322/f7dea154/attachment-0003.html>
More information about the Public
mailing list