How is this actually better (or conceptually even different) than just having th... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		saurik 13 days ago \| parent \| context \| favorite \| on: Not all browsers perform revocation checking How is this actually better (or conceptually even different) than just having the issuer's servers issue new certificates that only last 24 hours?

Ayesh 13 days ago [–]

It's not better.

Short lived certificates are definitely the better way forward.

24 hour certificates will add a significantly more load on CAs, a lot more than maintaining an OCSP responder.

saurik 7 days ago | [–]

But, signing the updated expiration date seems like exactly the same amount of signing as just signing the entire certificate?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact