From: Tomas G. <to...@pr...> - 2016-08-23 13:28:56
|
I don't see that 4 puts more trust in the CA than the other ones? It's the CA who would revoke a certificate to the OCSP can be used anyhow. Short lived should almost put less trust in the CA, since you cut away one process from the CA that could go wrong/be missed, i.e. revocation. Of course, you require the CA to be "secure" to renewal of the short lived certificates (renew by a signature with the old certificate before it expires?) Cheers, Tomas On 2016-08-23 07:00, Anders Rundgren wrote: > Assume there is a network of trusted providers like banks. > Assume you want to save transactions including revocation data. > > There are (AFAIK) see four solutions: > 1. CRLs > 2. OCSP read by the RP > 3. Stapled OCSP provided by the sender > 4. Short-lived certificates > > 1 and 2 looks very unattractive compared to 3. > OTOH, short-lived certificates eliminates specific revocation data altogether. > > There is a snag with 4; it puts more trust into the CA. > > I'm thinking about daily certificates but with a life-span of a week or so. > > WDYT? > > Anders > > > > > > ------------------------------------------------------------------------------ > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |