[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates

Ryan Sleevi sleevi at google.com
Fri Feb 3 22:35:46 UTC 2017

On Fri, Feb 3, 2017 at 1:57 PM, Kirk Hall via Public <public at cabforum.org>

> I think you are overstating the consensus on the idea that “revocation
> checking doesn’t work.”  Which relying parties have said that?

> And much of your justification for the changes you want to make on
> certificate lifetime are based on that conclusion.

This is frankly incorrect, but I'm not sure whether your confusion is
intentional or accidental. The biggest challenge to making _any_ change to
the ecosystem is CAs continued resistance and opposition, and the many year
lifetimes of certificates and reuse of information are unquestionably a
fundamental problem - the largest problem - independent of revocation.

>   But many disagree with that conclusion, and if we’re going to work on
> ways to deal with certificate revocation, then a renewed push for
> revocation checking is something we should also be discussing.
> Here is the conclusion from a well-respected 2015 academic study from
> Stanford measuring browser revocation checking.  The study even included
> suggestions on how to improve CRLSets that could “could increase their
> coverage by several orders of magnitude”.  Is Google willing to work on
> these issues as well?  We are all in this together – CAs and browsers – in
> improving user security.

If you'd like browsers to start mandating CAs take action - we can
certainly go down that route. Because much of the paper focuses on the
failings of CAs causing profound ecosystem harm.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170203/96ea85e0/attachment-0003.html>

More information about the Public mailing list