[cabfpub] Short-Lived Certs - the return
Eddy Nigg
eddy_nigg at startcom.org
Thu Jun 11 16:32:09 UTC 2015
On 06/11/2015 07:02 PM, Ryan Sleevi wrote:
>
> Sorry, that reply was meant to be towards browsers checking daily.
>
Yes of course, I explicitly mentioned in my original response that any
cached data will remained cached for whatever time the CA sets in the
OCSP response.
But any new connection checking an updated OCSP response would of course
take affect from the time of revocation by the CA. There is a
difference, certainly if we are talking about the max. time of 10 days
(which is commercially interesting enough for an attacker I guess -, and
probably the reason why some/most browsers cache the OCSP response for
only 24 hours).
--
Regards
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150611/424e26d0/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4313 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150611/424e26d0/attachment-0001.p7s>
More information about the Public
mailing list