[cabfpub] [cabfman] Notes of meeting, CAB Forum, 21 March 2013, Version 1

[Jeremy Rowley]

First of all I don't believe that there can be a robust mechanism to issue certificates with such a frequency where the CA does its pre and post issuance diligence. I'd consider such issuance more risky than a controlled and supervised manner (assuming that CAs did implement some due diligence for issuing certificates in the post Diginotar aera). This is my main objection and critical in my opinion.

[JR] Depends on the CA.  Obviously, some CAs have better post and pre issuance diligence practices than others.  I think a correctly operating CA issuing short lived certificates can have just as good of post issuance and pre issuance diligence as one that issues longer lived certs.  In fact, better practices since they don’t have to worry about OCSP up-time, CRL availability, and the timely processing of revocation requests.  Plus, you don’t have revocation-for-business reasons cluttering the CRL and OCSP responses.  I believe it’s much less risky since there is a lot less that can go wrong.

Second, for an attacker 3 - 7 days is a long time to achieve their goals most of the time, by repeating same attack which would go undetected due to the above mentioned missing diligence, this could go on for a while.

[JR] That argument is bogus. Because of the BR 7/10 update requirement, any attacker has between 7-10 days to make their attack. The post issuance obligations remain the same.  You discover a breach, you report the breach to the browsers and turn off related issuance.  If you are arguing for a shorter time under the BRs, I’d support that and update my proposal for short-lived certs accordingly.

Third, most software (browsers and other clients) check revocation usually on a higher frequency then possible nextUpdate fields in OCSP and CRLs, specially when relying on OCSP. Removing revocation status DPs will allow an attacker to complete his attack happily even if the CA has become aware of it. Software updates wouldn't be fast enough either.

[JR] Not accurate.  As someone pointed out a while ago, Microsoft caches responses for 80% of the OCSP next update. Under the BRs this is 8 days. Software updates can be rolled out much faster than this (based on the actions taken by the major browsers in response to the events of a few years ago).  Again, sounds like you are arguing for a change in the BR’s requirements on OCSP and CRL rather than directly against short-lived certificates.

Forth, browsers don't check revocation status all at the same time, making attacks more difficult when revocation status DPs are defined (system restarts, first access, access after 24 hours depending on software trigger a revocation status check). This will make an attack less reliable and also detectable by the client (if configured correctly).



[JR] Correct.  Some browsers don’t check revocation at all. I hardly think that is an argument against a guaranteed method of revocation checking like short lived certs provides. Also, if the client can’t access the revocation information (say in the case of a government sponsored attack), you’re basically screwed using traditional revocation. You simply can’t revoke the certificate, whereas with short lived certificates you have assurance that those certificates will at least cease functioning after a certain time.

Would it alleviate concerns if short-lived certs are issued from a different intermediate than other certs?  The intermediate still contains revocation information.  If something goes horribly wrong, you can always shut off the intermediate.

Jeremy

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130322/00abebc9/attachment-0003.html>