Tag Archives: CRL

OCSP Stapling

February 24, 2014 by Bruce Morton     1 Comment

Digital certificate status is provided by the certificate revocation list (CRL) and online certificate status protocol (OCSP). The CRL is a list of all certificates that have been revoked. If the serial number is not on the list it is assumed to be good. OCSP provides a response for all certificates. In layman’s terms, the [Read More...]

Filed Under: SSL, SSL Deployment Tagged With: OCSP, OCSP stapling, RFC 5019

IETF 86 – Web PKI Working Group

March 22, 2013 by Bruce Morton     No Comments

At the IETF 86 meeting in Orlando last week, there was a working group meeting discussing the operations of the Web PKI. At the previous IETF 85 meeting a birds-of-a-feather was held to discuss the purpose of having such a group.

SSL Certificate Status Checking

March 12, 2013 by Bruce Morton     No Comments

As part of its effort to promote SSL certificate best practices, the CA Security Council (CASC) has offered a couple of blogs on the importance of revocation checking

Short-Lived Certificates

August 21, 2012 by Bruce Morton     2 Comments

Certificate revocation is a current SSL industry issue. There are many causes to the problem. Some end-users do not have certificate-revocation checking turned on. Browsers support CRL or OCSP, but in some cases not both. The certification authorities (CA) may not provide reliable revocation responses. And what if there are no revocation responses from a [Read More...]

If You Don’t Like Your CA’s Practices, Find One More Sympatico

April 24, 2012 by Jon Callas     No Comments

The following Mozilla bug came my way via the Cryptography mailing list. The gist of it is that a Norton (né VeriSign) customer asked for a certificate with two-year certificate, and got one with six-year validity. I don’t precisely understand why the customer is complaining to Mozilla, but they didn’t get satisfaction with Norton, who [Read More...]

Google Rethinks Revocation

March 7, 2012 by Jon Callas     No Comments

Google has decided in Chrome that they’re going to take a different approach to certificate revocation. Chrome developer Adam Langley describes the decision in detail in his blog, Imperial Violet. Unlike a number of CAs, we think this is a pretty good idea, even if incompletely executed so far. Revocation is a difficult task. It [Read More...]