[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates
Ryan Sleevi
sleevi at google.com
Fri Feb 3 22:35:46 UTC 2017
On Fri, Feb 3, 2017 at 1:57 PM, Kirk Hall via Public <public at cabforum.org>
wrote:
> I think you are overstating the consensus on the idea that “revocation
> checking doesn’t work.” Which relying parties have said that?
>
>
> And much of your justification for the changes you want to make on
> certificate lifetime are based on that conclusion.
>
This is frankly incorrect, but I'm not sure whether your confusion is
intentional or accidental. The biggest challenge to making _any_ change to
the ecosystem is CAs continued resistance and opposition, and the many year
lifetimes of certificates and reuse of information are unquestionably a
fundamental problem - the largest problem - independent of revocation.
> But many disagree with that conclusion, and if we’re going to work on
> ways to deal with certificate revocation, then a renewed push for
> revocation checking is something we should also be discussing.
>
>
>
> Here is the conclusion from a well-respected 2015 academic study from
> Stanford measuring browser revocation checking. The study even included
> suggestions on how to improve CRLSets that could “could increase their
> coverage by several orders of magnitude”. Is Google willing to work on
> these issues as well? We are all in this together – CAs and browsers – in
> improving user security.
>
If you'd like browsers to start mandating CAs take action - we can
certainly go down that route. Because much of the paper focuses on the
failings of CAs causing profound ecosystem harm.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170203/96ea85e0/attachment-0003.html>
More information about the Public
mailing list