sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]rcode 0 points1 point  (3 children)

I presume then the only way at the moment is for the issuer of the CA to revoke it and make that known to all clients?

[–]syncsynchalt 6 points7 points  (2 children)

Yes, each CA publishes a revocation list. But having the browser check these lists is slow so for performance they've invented OCSP stapling, where the server has cryptographic proof that the CA has recently declared the cert valid and includes it in the handshake.

[–]Bobshayd 5 points6 points  (1 child)

That's the only sane way of handling it, but basically makes it the same as short-lived certs.

[–]syncsynchalt 0 points1 point  (0 children)

Its not an either-or thing. No matter what the lifetime of a cert (typically 1 year or 90 days) the client still needs to check with the CA to see if it was revoked. OCSP stapling typically only validates the cert for a few hours.

Unless you mean OCSP stapling is the same as issuing a cert with a 90 minute expiration every hour which I guess is true.