short-lived certificates

short-lived certificates

[1] CA:RevocationPlan - MozillaWiki ( ()) <https://wiki.mozilla.org/CA:RevocationPlan#Short-Lived_Certificates>

[2] Improving Revocation: OCSP Must-Staple and Short-lived Certificates | Mozilla Security Blog ( ()) <https://blog.mozilla.org/security/2015/11/23/improving-revocation-ocsp-must-staple-and-short-lived-certificates/>

[3] Improving Revocation: OCSP Must-Staple and Short-lived Certificates | Mozilla Security Blog ( ()) <https://blog.mozilla.org/security/2015/11/23/improving-revocation-ocsp-must-staple-and-short-lived-certificates/>

To get back to stronger revocation checking, we have added support for short-lived certificates and Must-Staple to let sites opt in to hard failures. As of Firefox 41, Firefox will not do “live” OCSP queries for sufficiently short-lived certs (with a lifetime shorter than the value set in “security.pki.cert_short_lifetime_in_days”). Instead, Firefox will just assume the certificate is valid. There is currently no default threshold set, so users need to configure it. We are collecting telemetry on certificate lifetimes, and expect to set the threshold somewhere around the maximum OCSP response lifetime specfied in the baseline requirements.

[4] Short-lived certs - Google グループ ( ()) <https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/T11up58JkFc>

[5] 1141189 – add ability to skip expensive revocation checks for "short-lived" certificates ( ()) <https://bugzilla.mozilla.org/show_bug.cgi?id=1141189>

[6] 1221033 – Make expiry non-overrideable for short-lived certificates ( ()) <https://bugzilla.mozilla.org/show_bug.cgi?id=1221033>

[7] 1228451 – Set the short-lived lifetime to the max OCSP response lifetime ( ()) <https://bugzilla.mozilla.org/show_bug.cgi?id=1228451>