> On Feb 24, 2017, at 4:35 AM, Dimitris Zacharopoulos via Public > <[email protected]> wrote: > > I believe this is not exactly our view, nobody is arguing that 13 months is > not more secure than 39 or 27 months.
I am. The revocation infrastructure is currently calibrated to limit validity of a revoked cert to a maximum 7 days. I would like to reduce that to 1 day for ordinary revocation and 15 minutes for extraordinary revocation. If you do revocation, the window of vulnerability is reduced from 400 days to 7 (or less). In my design for a client side PKI, I abandoned the notion of validity intervals entirely over two years ago. They are neither necessary nor particularly useful in the modern Internet. While the approaches that make that possible could be carried over to the WebPKI, getting rid of validity intervals is obviously infeasible given the legacy code base. _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
