[cabfpub] Pre-Ballot - Short-Life Certificates
Ryan Sleevi
sleevi at google.com
Thu Oct 30 08:51:46 MST 2014
As I explained, we've explored this in the past, and it's not something we
believe is worthwhile nor possible at this time.
But this is a bit of a divergence from our topic at hand.
On Thu, Oct 30, 2014 at 8:48 AM, kirk_hall at trendmicro.com <
kirk_hall at trendmicro.com> wrote:
> This may be too deep for me, but what if browsers followed this logic?
>
>
>
> Cert issued from (original) trusted root in browser root store (not added
> by client) => cert must have CDP and AIA to be treated as valid by browser
>
>
>
> Cert NOT issued from (original) trusted root in browser root store (so
> maybe cert from root added by client) => cert is NOT required to have CDP
> and AIA to be treated as valid by browser
>
>
>
>
>
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
> Behalf Of Gervase Markham
> Sent: Thursday, October 30, 2014 6:29 AM
> To: Eddy Nigg
> Cc: public at cabforum.org
> Subject: Re: [cabfpub] Pre-Ballot - Short-Life Certificates
>
>
>
> On 29/10/14 22:12, Eddy Nigg wrote:
>
> > Considering that CAs were required to modify the OCSP responders to
>
> > include Good, Revoked and *Unknown* upon request of the browsers
>
> > mostly (I believe Google was a strong supporter of that), it's rather
>
> > confusing to know that browsers entirely ignore it if the certificates
>
> > have no OCSP (and CRL) pointers, not speaking about checking this
>
> > information when available.
>
>
>
> How do you envisage a browser would know which server to ask about the
> Certificate Status of a particular certificate, if the certificate did not
> contain a server pointer?
>
>
>
> Gerv
>
>
>
> _______________________________________________
>
> Public mailing list
>
> Public at cabforum.org
>
> https://cabforum.org/mailman/listinfo/public
>
> TREND MICRO EMAIL NOTICE
> The information contained in this email and any attachments is confidential
> and may be subject to copyright or other intellectual property protection.
> If you are not the intended recipient, you are not authorized to use or
> disclose this information, and we request that you notify us by reply mail or
> telephone and delete the original message from your mail system.
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141030/f72ae91a/attachment.html
More information about the Public
mailing list