[cabfpub] Pre-Ballot - Short-Life Certificates

Gervase Markham gerv at mozilla.org
Fri Oct 24 06:12:59 MST 2014


On 24/10/14 13:40, Rich Smith wrote:
> I keep coming back to this same question every time this comes up, and I 
> have not received a satisfactory answer yet:
> Why MUST a short lived certificate be issued without containing 
> revocation information?

And I keep asking it every time you ask: because putting in revocation
information eliminates 90% of their advantage, because there is then no
advantage in all the currently-existing clients. A short-lived cert with
revocation pointers will still incur the delay of revocation checking,
even though (this is the argument, and the argument with which I hope
you will engage) it's not necessary to provide them because the security
properties of a 3-day cert are broadly comparable to a 1-year cert with
10-day, 5-day or 3-day-expiry OCSP responses.

> The simple fact of the matter is that revocation info in the certificate 
> MAY help SOME users IF the certificate gets revoked, and I have yet to 
> see anyone offer up any decent argument for why the revocation info 
> absolutely MUST NOT be present for short-lived certs to work.

No one is arguing that it MUST NOT be present for short-lived
certificates to "work". But if a site and a CA are together considering
deploying such a technology, they will look at the costs and benefits.
There will be significant costs in setting up the system; if the
benefits are only in 5% or 10% of clients, it may well be judged not to
be worth it.

> I'm open 
> to such an argument, but until I see it I remain opposed to a ballot to 
> allow any certificate to be issued without revocation information.

I don't understand this position. Surely the acceptability or not of
short-lived certificates should depend on whether their security
properties are broadly comparable to existing solutions, not on whether
I can construct an argument that shows it's required to remove the
revocation information for it to be technically feasible to deploy them?

Gerv


More information about the Public mailing list