Sure, but this didn't answer my questions, and I'm guessing was just a quick reply.
I questioned both the motive and the problem statement, and it didn't seem like there were good answers. I'm hoping you could revisit, and we can see how much of a problem this is in actual practice. On Thu, Oct 5, 2017 at 3:23 AM, Jeremy Rowley <[email protected]> wrote: > For a short-lived cert that is truly short-lived, you never deliver a > meaningful response. Of course, there’s always an initial “good” response > for an initially issued cert, but that only tells me it was issued. By the > time I sign a new response, the cert is expired. > > > > I’m not sure why people are requesting 15 min or 8 hour certs. We can do > them, but then we need to sign an OCSP response as well. Requiring OCSP > on these certs doesn’t mean that the certs don’t exist. > > > > *From:* Ryan Sleevi [mailto:[email protected]] > *Sent:* Wednesday, October 4, 2017 11:58 PM > *To:* Jeremy Rowley <[email protected]> > *Cc:* CA/Browser Forum Public Discussion List <[email protected]> > *Subject:* Re: [cabfpub] Short-lived certs > > > > > > > > On Wed, Oct 4, 2017 at 10:54 PM, Jeremy Rowley <[email protected]> > wrote: > > > Pre-signing OCSP responses for these certs is a waste of time as they’ll > expire before the OCSP is ever delivered. > > > > Delivered to who? Are you saying you deliver certificates before you've > produced OSP responses? > > - If we pre-sign an OCSP response for a 15 min cert, the OCSP is > rarely used. > > > > But that's different than what you said - you indicated that 15 minutes is > because the OCSP is delivered, and I was trying to understand delivered to > who/what <https://teams.googleplex.com/u/what>? > > > > > - > > When you are signing certs daily, even signing that first OCSP response > eats up lots of processing power without providing any benefit to the > user. Removing OCSP for short-lived certs eliminates an external call to > the CA > > > > Stapling > > - These are usually on a home network. Getting an OCSP response to > staple through the firewall usually doesn’t happen > > Can you explain how you deliver a cert, but cannot deliver an OCSP > response for said cert? > > - Clock skew is a problem. That is the assumption. > But that’s not really relevant to the OCSP issue right? That’s more an > issue with certificate lifecycles. My contention is that OCSP provides > little value in the context of a three day, or less, cert. > > Well, your stated objective is to support lifetimes for as low as 15 > minutes. If this objective is not reasonable - or is detrimental - then the > need to not include revocation information no longer there, right? Or are > there other reasons that weren't enumerated? >
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
