They aren't subject to less stringent security in issuing the certificate. The benefit is that the certificate doesn't include revocation information (smaller size) and doesn't need to check revocation status (faster handshake). The issuance of the certificate still must meet all of the Mozilla root store requirements.
Jeremy -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert....@lists.mozilla.org] On Behalf Of David E. Ross Sent: Thursday, September 4, 2014 11:36 AM To: [email protected] Subject: Re: Short-lived certs On 9/4/2014 3:21 AM, Gervase Markham wrote [in part]: > How should we approach the issue of short-lived certs? Spammers change their E-mail addresses quite frequently, using the same address for only a day or two. Hackers also frequently change their "residence" so as to prevent tracing them. The same is true of distributors of malware. If short-lived certificates are subjected to less stringent security by client applications, I would fear that they would become hacker and malware tools. -- David E. Ross The Crimea is Putin's Sudetenland. The Ukraine will be Putin's Czechoslovakia. See <http://www.rossde.com/editorials/edtl_PutinUkraine.html>. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
