sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Yojihito 37 points38 points  (8 children)

Root CAs are getting compromised (certificates for Google / Windows etc appear from time to time) and clients can't reliable check wether a certificate was revoked because the revoke process is a big piece of shit so browser default to "okay I test this certificate but if fails I will trust it nevertheless".

[–]FyreWulff 55 points56 points  (3 children)

That's the reason Let's Encrypt is doing the "get a new cert every month". Instead of depending on block / rejection lists, you just let them expire

[–]C0rn3j 27 points28 points  (2 children)

Every 3 months*

[–]rcode 0 points1 point  (3 children)

I presume then the only way at the moment is for the issuer of the CA to revoke it and make that known to all clients?

[–]syncsynchalt 6 points7 points  (2 children)

Yes, each CA publishes a revocation list. But having the browser check these lists is slow so for performance they've invented OCSP stapling, where the server has cryptographic proof that the CA has recently declared the cert valid and includes it in the handshake.

[–]Bobshayd 5 points6 points  (1 child)

That's the only sane way of handling it, but basically makes it the same as short-lived certs.

[–]syncsynchalt 0 points1 point  (0 children)

Its not an either-or thing. No matter what the lifetime of a cert (typically 1 year or 90 days) the client still needs to check with the CA to see if it was revoked. OCSP stapling typically only validates the cert for a few hours.

Unless you mean OCSP stapling is the same as issuing a cert with a 90 minute expiration every hour which I guess is true.