----- Original Message ----- > From: "David Huang" <linshunghu...@gmail.com> > To: mozilla-dev-security-pol...@lists.mozilla.org > Sent: Saturday, August 2, 2014 1:21:58 AM > Subject: Re: New wiki page on certificate revocation plans > > This is great news! > > Regarding the max lifetime threshold of short-lived certificates, we ran > study [1] a while back that indicated the average OCSP validity time was 4 > days (while 87.14% were equal to or less than 7 days). Thus, FWIW, we > suggested a certificate lifetime of 4 days in our paper [2] advocating > short-lived certificates for revocation. > > [1] http://www.internetsociety.org/sites/default/files/12_4.pdf > [2] http://www.w2spconf.com/2012/papers/w2sp12-final9.pdf
Very interesting, thanks for sharing! This results are a bit scary though: OCSP responder: Max Validity lifetime http://EVIntl-ocsp.verisign.com 86 days 7 hours http://ocsp.verisign.com 20 days 21 hours How often did they provide responses valid for over a week? -- Regards, Hubert Kario _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy