Confirm, administrator
5,526
edits
Changes
m
Unfortunately, the adoption of short-lived certificates has been hampered by current CA/Browser Forum rules requiring OCSP for all certificates.
deleted sentence that wasn't entirely correct, and was unnecessary.
Like OCSP must-staple, short-lived certificates are another fast-path option for websites, since a supporting browser will skip all revocation checks. Using short-lived certificates instead of a must-staple extension also removes the need to send an OCSP response in the handshake.
Firefox does not perform any form of revocation checking for certificates with a validity period of less than 10 days. That period is configurable via the security.pki.cert_short_lifetime_in_days preference.
