[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates
rbarnes at mozilla.com
Fri Feb 3 19:40:33 UTC 2017
Is there anyone on the relying party side of the universe that believes
revocation works? Even among browsers that send OCSP requests, none of
them hard-fail if it doesn't work, because in practice, OCSP servers are so
awful that HTTPS would become unusable. So OCSP is still, as AGL says, a
seat belt that breaks when you crash. Seems fair to call that broken.
Even if OCSP were magically to become usable, though, (or some replacement
for it) this ballot would still be necessary for all the other reasons that
have been discussed here.
On Fri, Feb 3, 2017 at 11:34 AM, Rich Smith via Public <public at cabforum.org>
> Ryan, since you're using your age old FUD "revocation doesn't work"
> (because certain browsers have chosen not to consult revocation
> information) as part of the reasoning as to why this ballot is necessary, I
> think it's quite germane to the discussion.
> On 2/3/2017 11:38 AM, Ryan Sleevi via Public wrote:
> On Fri, Feb 3, 2017 at 9:11 AM, Rob Stradling <rob.stradling at comodo.com>
>> Ryan, what targets (filesize/performance/reliability/reachability/etc)
>> would CAs need to meet before it would become viable to reintroduce CRLs to
>> the WebPKI (i.e., for Chrome to start checking CRLs and hard-failing if
>> they're unobtainable)?
> Happy to have that discussion at another time, but it's not germane to the
> discussion at hand, as I clearly indicated in the original message. It's
> necessary, but not sufficient, to have that, and we're not presently
> proposing addressing all the other necessary conditions. Baby steps.
> Public mailing listPublic at cabforum.orghttps://cabforum.org/mailman/listinfo/public
> Public mailing list
> Public at cabforum.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public