On 04/09/14 12:52, Hubert Kario wrote: > It all depends on the exact definition of "short-lived". If the definition > is basically the same as for OCSP responses or shorter, then yes, they > provide the same security as regular certs with hard fail for OCSP > querying/stapling.
The exact definition of "short-lived" is something I want to declare out of scope for this particular discussion. > I'm not sure what gives us the removal of revocation info from certificate. Because there are lots of clients out there who check revocation info always if the pointers are present. The only way to stop them doing that (and so realise the speed advantage) is by not putting revocation info in the cert. > I mean, if the recommendation for PKIX is to not check revocation info > for certificates that have total validity period of less than, say 2 days, > then inclusion or exclusion of AIA extension is secondary. We can't update all the software in the world to magically follow our recommendation. > There's also the must-staple extension in the works, which can be part of > the plan: you either get short lived certs or you get a long lived with > must-staple. They would provide the same security guarantees. It is part of the plan, if you read it :-) https://wiki.mozilla.org/CA:RevocationPlan Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
