[Ejbca-develop] EJBCA support for short-lived certificates

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Assume there is a network of trusted providers like banks.
Assume you want to save transactions including revocation data.

There are (AFAIK) see four solutions:
1. CRLs
2. OCSP read by the RP
3. Stapled OCSP provided by the sender
4. Short-lived certificates

1 and 2 looks very unattractive compared to 3.
OTOH, short-lived certificates eliminates specific revocation data altogether.

There is a snag with 4; it puts more trust into the CA.

I'm thinking about daily certificates but with a life-span of a week or so.

WDYT?

Anders