|
|
|
|
|
|
by AhtiK
4436 days ago
|
|
|
My quick write-up on this from few days ago, http://www.ahtik.com/blog/startssl-revocation-fees-will-not-... Yes, revoke is broken by design, especially with mobile and Chrome browser. I'd say it's broken everywhere except Firefox with OCSP Hard Fail enabled. Thanks to this flaw StartSSL business model has become somewhat outdated IMHO with the free certs and paid revocations. I'm dreaming that we can fix the revocations issue with 24hour valid certificates. Suggested at the end of my post. But I must be naive on this as it's too simple, just haven't found the flaw in this myself. Yes, it needs technical orchestration, but at least it does not add extra layer of single point of failure for every session. EDIT: Just finished the OP post and it does indeed also mention "short-lived certificates" in the end as a potential solution. |
|
|
Short-lived certificates were explored in Towards Short-Lived Certificates http://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-shortliv...