ietf
[Top] [All Lists]

Re: https

2011-08-29 10:15:04
I see, so as long as its not revoked, if compromised, you are hosed until it expires.

I wonder if OCSP (Online Certificate Status Protocol) can help addresses this? Expired or not, it can still be revoked with dynamic checking as long as the browser as OCSP enabled. So I guess its a matter of reporting the theft as soon as it is discovered.


Adam Novak wrote:
On Fri, Aug 26, 2011 at 1:13 PM, Hector Santos 
<hsantos(_at_)santronics(_dot_)com> wrote:
Makes you wonder. Why is the concept of expiration required? �Did the IETF
expire, die? �Did its value as an Organization go down and only valid on a
year to year basis?

As I understand it, expiration is supposed to solve the problem of
someone getting their hands on your old certificates and impersonating
you. In order to impersonate you, not only do they have to get into
your system, they have to have done it in the last year or so.

It also keeps certificates for domains from outliving domain
registrations for too long. If you don't have the domain when you go
to renew the certificate, the CA shouldn't renew it.

I guess it also keeps revocation lists short. You only have to
remember that a certain certificate was compromised until it expires,
instead of forever.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf



--
Sincerely

Hector Santos
http://www.santronics.com



_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>