[cabfpub] Short-lived certs
Ryan Sleevi
sleevi at google.com
Thu Oct 5 05:58:16 UTC 2017
On Wed, Oct 4, 2017 at 10:54 PM, Jeremy Rowley <jeremy.rowley at digicert.com>
wrote:
>
> Pre-signing OCSP responses for these certs is a waste of time as they’ll
> expire before the OCSP is ever delivered.
>
>
>
> Delivered to who? Are you saying you deliver certificates before you've
> produced OSP responses?
>
> - If we pre-sign an OCSP response for a 15 min cert, the OCSP is
> rarely used.
>
>
But that's different than what you said - you indicated that 15 minutes is
because the OCSP is delivered, and I was trying to understand delivered to
who/what?
>
> -
>
> When you are signing certs daily, even signing that first OCSP response
> eats up lots of processing power without providing any benefit to the
> user. Removing OCSP for short-lived certs eliminates an external call to
> the CA
>
>
>
> Stapling
>
> - These are usually on a home network. Getting an OCSP response to
> staple through the firewall usually doesn’t happen
>
> Can you explain how you deliver a cert, but cannot deliver an OCSP
response for said cert?
> - Clock skew is a problem. That is the assumption.
> But that’s not really relevant to the OCSP issue right? That’s more an
> issue with certificate lifecycles. My contention is that OCSP provides
> little value in the context of a three day, or less, cert.
>
Well, your stated objective is to support lifetimes for as low as 15
minutes. If this objective is not reasonable - or is detrimental - then the
need to not include revocation information no longer there, right? Or are
there other reasons that weren't enumerated?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171004/4eb4e477/attachment-0003.html>
More information about the Public
mailing list