Sure - short lived certs are desirable where: 1) 50 bytes does matter, such as high traffic websites (it's why some CAs were issuing certs directly from the root) 2) Revocation information cannot be reliable obtained, such as areas with low internet connectivity - the cert simply expires instead of being revoked 3) the server is in a region with probable government influence/intervention - the government may block revocation checking or may seize control over the servers, in which case the issuer simply turns off the certificate issuance 4) the server is in a region where there is civil unrest - again, the server operator can abandon the server without having to worry about the sufficiency of revocation checking
I think the an expired short-term certificate should be treated as revoked, but I don't have strong feelings. The expired certificate interstitial will likely give site visitors sufficient notice that something is going wrong. Jeremy -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Thursday, September 4, 2014 12:33 PM To: Jeremy Rowley; 'David E. Ross'; [email protected] Subject: Re: Short-lived certs Hi Jeremy, Could you (or anyone) elaborate a bit on the use cases where short lived certs are desirable? Are there really cases where the extra 50 bytes (or whatever) for the revocation info is too great a burden? Or is the desire really to short circuit the revocation checks? Or...? I'm also wondering what the plan is for handling an expired short term cert. Will the user be given a choice of allowing an exception or does it get special handling? Original Message From: Jeremy Rowley Sent: Thursday, September 4, 2014 12:46 PM To: 'David E. Ross'; [email protected] Subject: RE: Short-lived certs They aren't subject to less stringent security in issuing the certificate. The benefit is that the certificate doesn't include revocation information (smaller size) and doesn't need to check revocation status (faster handshake). The issuance of the certificate still must meet all of the Mozilla root store requirements. Jeremy -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert....@lists.mozilla.org] On Behalf Of David E. Ross Sent: Thursday, September 4, 2014 11:36 AM To: [email protected] Subject: Re: Short-lived certs On 9/4/2014 3:21 AM, Gervase Markham wrote [in part]: > How should we approach the issue of short-lived certs? Spammers change their E-mail addresses quite frequently, using the same address for only a day or two. Hackers also frequently change their "residence" so as to prevent tracing them. The same is true of distributors of malware. If short-lived certificates are subjected to less stringent security by client applications, I would fear that they would become hacker and malware tools. -- David E. Ross The Crimea is Putin's Sudetenland. The Ukraine will be Putin's Czechoslovakia. See <http://www.rossde.com/editorials/edtl_PutinUkraine.html>. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
