Sure. Think of them as one time use certs. They aren't replacing them every 15 min. They're just good for 15 min.
On Oct 6, 2017, at 5:49 AM, Tim Hollebeek <[email protected]<mailto:[email protected]>> wrote: Are 15 minute certs a good idea in a CT world? -Tim From: Public [mailto:[email protected]] On Behalf Of Jeremy Rowley via Public Sent: Thursday, October 5, 2017 3:23 PM To: Ryan Sleevi <[email protected]<mailto:[email protected]>> Cc: CA/Browser Forum Public Discussion List <[email protected]<mailto:[email protected]>> Subject: Re: [cabfpub] Short-lived certs For a short-lived cert that is truly short-lived, you never deliver a meaningful response. Of course, there’s always an initial “good” response for an initially issued cert, but that only tells me it was issued. By the time I sign a new response, the cert is expired. I’m not sure why people are requesting 15 min or 8 hour certs. We can do them, but then we need to sign an OCSP response as well. Requiring OCSP on these certs doesn’t mean that the certs don’t exist. From: Ryan Sleevi [mailto:[email protected]] Sent: Wednesday, October 4, 2017 11:58 PM To: Jeremy Rowley <[email protected]<mailto:[email protected]>> Cc: CA/Browser Forum Public Discussion List <[email protected]<mailto:[email protected]>> Subject: Re: [cabfpub] Short-lived certs On Wed, Oct 4, 2017 at 10:54 PM, Jeremy Rowley <[email protected]<mailto:[email protected]>> wrote: Pre-signing OCSP responses for these certs is a waste of time as they’ll expire before the OCSP is ever delivered. Delivered to who? Are you saying you deliver certificates before you've produced OSP responses? * If we pre-sign an OCSP response for a 15 min cert, the OCSP is rarely used. But that's different than what you said - you indicated that 15 minutes is because the OCSP is delivered, and I was trying to understand delivered to who/what? * When you are signing certs daily, even signing that first OCSP response eats up lots of processing power without providing any benefit to the user. Removing OCSP for short-lived certs eliminates an external call to the CA Stapling * These are usually on a home network. Getting an OCSP response to staple through the firewall usually doesn’t happen Can you explain how you deliver a cert, but cannot deliver an OCSP response for said cert? - Clock skew is a problem. That is the assumption. But that’s not really relevant to the OCSP issue right? That’s more an issue with certificate lifecycles. My contention is that OCSP provides little value in the context of a three day, or less, cert. Well, your stated objective is to support lifetimes for as low as 15 minutes. If this objective is not reasonable - or is detrimental - then the need to not include revocation information no longer there, right? Or are there other reasons that weren't enumerated?
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
