OCSP signing requirements for revoked certificates


#1

sounds utterly stupid in my opinion and this is a behavior that should be changed because as far as I know it’s not in the plan to “un-revoke” a cert, so in theory an old revocation sig should be enough, this is something that cab should really think about especially to be prepared for the next mass revocation even (if something like heartbleed happens again)


Pros and cons of 90-day certificate lifetimes
#3

CA/Browser forum baseline requirements require an updated signature every 4 days with a maximum life of 10 days. That means a revoked certificate will be treated as valid if it’s not updated in a timely manner. I’m guessing that this mechanism is to allow for signing errors or misapplied responses (like the OCSP server returning revoked for all certs due to a bug) to be corrected properly. Of course, I don’t know enough to speak with any authority as to why CA/B has it this way.

If something like Heartbleed happens again, short-lived certificates are a benefit as revoked certs will pass away quickly and any neglected from revocation will be “quickly” replaced and everyone will be safer for that.

Either way, it’s a required part of the system and LE has to follow it to pass the audits and remain trusted. It also really is a huge distraction from the other reasons for short-lived certificates.


#4

well that it’s required is true but I think it’s just inefficient.

for mis-signings they could just drop the old mis-signed response and sign a new proper one. I didnt even say that the client needs to cache it for all eternity, but it would already help to remove a lot of overhead if an old revocation signature would be accepted in browsers, while this still doesnt remove the “problem” of having to store the signature, it at least eases the computation usage.

going back to the 90 day lifetimes

that neglected certs pass away faster is certainly true but then again short certs have also quite a signing overhead from active domains because you have a 30 day overlap at the beginning and end of each certificate meaning that any certificate in the “middle” has only 30 days to stay alone, meaning that half of the year, 2 certs have to be signed with OCSP (giving a 50% increase on the OCSP for active certs). also you have to sign 6 certs per year instead of just 1 (well due to a few days overlap depending on an admin but it probably wont exceed an average of 1.08 certs per year, coming to the same 1 month overlap) with a 1 month overlap you have to double-sign only 2/12 if the lifetime (1 month at the beginning and end each) giving 1/´6 or about 17% overhead on the OCSP.

of course that overhead could be greatly reduced if the revocation would remove the need of new OCSP responses by just revoking the old certs but you would still have to keep the signatures for all the time.

so assuming that most certs are used actively, actually longer certs have less overhead.


#5

The ratio between active, non-revoked certificates and revoked certificates makes this “discussion”, for me, a non-issue.


#6

so how do you know which certs are actively used?


#7

Well, actually active or not isn’t that big a difference: their OCSP responses are signed anyway.


#8

but for domains that are not used actively anymore you dont have the overlap for the last 30 days.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.