Personally, I would like certificate lifetime of 7 days or lower. That would make OCSP unneccesary since cached OCSP responses are valid for 7 days, making any revocation fully effective only after 7 days.
Thanks for the note! Currently we would still have to sign OCSP for such certificates under the Baseline Requirements, but I agree that this is one of two plausible paths forward for reliable revocation:
- OCSP Must Staple
- Short-Lived Certificates
Both have significant downsides: OCSP Must Staple has significant implementation problems in most web servers. Short-Lived Certificates would put a higher burden on CT logs, and would increase problems with client-side clock skew.
Right now we offer (1), and are continuing to evaluate (2) but don’t have any immediate plans.
I don’t mean that OCSP should not be generated for such certificates, only that OCSP stapling becomes unnecessary for them.
Usually clock skew does not exceed 1 minute in any sensible system, so I’m not sure how much does that apply.
Also is there any possibility of reducing OCSP response lifetime to make full revocation happen faster than 7 days?
It’s not been something on our roadmap so far.