On 04/09/14 18:36, David E. Ross wrote: > Spammers change their E-mail addresses quite frequently, using the same > address for only a day or two. Hackers also frequently change their > "residence" so as to prevent tracing them. The same is true of > distributors of malware. > > If short-lived certificates are subjected to less stringent security by > client applications, I would fear that they would become hacker and > malware tools.
Can you explain in detail the differences you see in the threat model between: a) a cert with a lifetime of 3 days and no revocation pointers b) a cert with a lifetime of a year whose OCSP responder's responses have a lifetime of 3 days ? It seems to me that, if either are compromised, the attacker has 3 days to exploit the issue. (In case b), they can staple the good OCSP response they have obtained, even if the cert is revoked.) Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy