[cabfpub] Pre-Ballot - Short-Life Certificates

Rich Smith richard.smith at comodo.com
Fri Oct 24 16:01:36 UTC 2014


I don't think it is OK, but as long as the revocation pointers are 
there, the CA CAN revoke a certificate, which is part of their job. The 
CA has no say in what the browser does with that information. That's 
your job, and your responsibility.  Your argument is that short lived 
w/out revocation pointers is equal to long lived with revocation 
pointers.  I maintain that that is only true under the narrow 
circumstances outlined earlier and that there are other circumstances 
under which revocation pointers DO in fact protect users, if revocation 
is checked.  But again revocation CHECKING is your job.  Revocation is 
the CAs job and the CA can't do that job if no pointers exist.

-Rich

On 10/24/2014 9:52 AM, Gervase Markham wrote:
> Now every browser doesn't check revocation for
> short-life certs. If this is OK by you, why are you not OK with us
> achieving the same end more quickly by removing the revocation pointers?




More information about the Public mailing list