[cabfpub] Short-Lived Certs - the return

Doug Beattie doug.beattie at globalsign.com
Tue Jun 9 19:26:51 UTC 2015


Hi Eddy,

Browsers can check, or not, the status of SSL certificates today and they can also change the rules for shorter validity period certificates as they see fit, that is outside the scope of the BRs.  The purpose of this discussion/ballot is to enable the issuance of SSL certificates and not require the CA to set up revocation services.  By selecting a sufficiently short validity period we can "revoke" certificates more quickly than is currently mandated.  Browsers might also change their expired certificate warning to that of a revoked certificate.

Doug

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Eddy Nigg
Sent: Tuesday, June 9, 2015 7:15 AM
To: CABFPub
Subject: Re: [cabfpub] Short-Lived Certs - the return


On 06/05/2015 11:06 PM, Doug Beattie wrote:
Given both OCSP and CRL max validity are set at 10 days, I'd recommend we allow SSL certificates to omit OCSP and/or CRL information if they are 10 days or less in duration, that is currently the max lag time a relying party can go without an update (most CAs actual controls are much shorter than this, and they can also have shorter limits on their "short validity SSL certificates")

I recommend to leave this to the implementations of the browsers, e.g. browsers define how frequently they want to check OCSP and CRLs and they can decide not to check certificates that will expire in less than X time.
--
Regards



Signer:

Eddy Nigg, COO/CTO



StartCom Ltd.<http://www.startcom.org>

XMPP:

startcom at startcom.org<xmpp:startcom at startcom.org>

Blog:

Join the Revolution!<http://blog.startcom.org>

Twitter:

Follow Me<http://twitter.com/eddy_nigg>




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150609/7a2e992b/attachment-0003.html>


More information about the Public mailing list