Of course not. I'm implying that the level of security in a short-lived cert is at least equal to any other certificate with a longer life cycle. I'd argue that the security is perhaps better since revocation happens automatically by the certificate's expiration without the need to push a CRL or provide OCSP.
Jeremy -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert....@lists.mozilla.org] On Behalf Of David E. Ross Sent: Thursday, September 4, 2014 12:44 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Short-lived certs On 9/4/2014 10:44 AM, Jeremy Rowley wrote: > > They aren't subject to less stringent security in issuing the > certificate. The benefit is that the certificate doesn't include > revocation information (smaller size) and doesn't need to check > revocation status (faster handshake). The issuance of the certificate > still must meet all of the Mozilla root store requirements. > > Jeremy > Are you suggesting that NO certificate authority applying stringent procedures has ever signed a subscriber certificate for someone who intended to use it for malevolent purposes? > -----Original Message----- > From: dev-security-policy > [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.m > ozilla.org] On Behalf Of David E. Ross > Sent: Thursday, September 4, 2014 11:36 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Short-lived certs > > On 9/4/2014 3:21 AM, Gervase Markham wrote [in part]: >> How should we approach the issue of short-lived certs? > > Spammers change their E-mail addresses quite frequently, using the > same address for only a day or two. Hackers also frequently change > their "residence" so as to prevent tracing them. The same is true of > distributors of malware. > > If short-lived certificates are subjected to less stringent security > by client applications, I would fear that they would become hacker and > malware tools. > -- David E. Ross The Crimea is Putin's Sudetenland. The Ukraine will be Putin's Czechoslovakia. See <http://www.rossde.com/editorials/edtl_PutinUkraine.html>. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
