Certificate lifetime less than 90 days


#1

Personally, I would like certificate lifetime of 7 days or lower. That would make OCSP unneccesary since cached OCSP responses are valid for 7 days, making any revocation fully effective only after 7 days.


#2

Thanks for the note! Currently we would still have to sign OCSP for such certificates under the Baseline Requirements, but I agree that this is one of two plausible paths forward for reliable revocation:

  1. OCSP Must Staple
  2. Short-Lived Certificates

Both have significant downsides: OCSP Must Staple has significant implementation problems in most web servers. Short-Lived Certificates would put a higher burden on CT logs, and would increase problems with client-side clock skew.

Right now we offer (1), and are continuing to evaluate (2) but don’t have any immediate plans.


#3

I don’t mean that OCSP should not be generated for such certificates, only that OCSP stapling becomes unnecessary for them.

Usually clock skew does not exceed 1 minute in any sensible system, so I’m not sure how much does that apply.


#4

Also is there any possibility of reducing OCSP response lifetime to make full revocation happen faster than 7 days?


#5

@jsha Is there any hope that eventually OCSP responses will last less than 1 day?


#6

It’s not been something on our roadmap so far.


closed #7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.