[cabfpub] Why would effective revocation be "not sufficient"? (was Re: Draft Ballot 185 - Limiting the Lifetime of Certificates)

Rob Stradling rob.stradling at comodo.com
Mon Feb 6 15:04:43 UTC 2017


On 03/02/17 17:38, Ryan Sleevi wrote:
> On Fri, Feb 3, 2017 at 9:11 AM, Rob Stradling wrote:
>     Ryan, what targets
>     (filesize/performance/reliability/reachability/etc) would CAs need
>     to meet before it would become viable to reintroduce CRLs to the
>     WebPKI (i.e., for Chrome to start checking CRLs and hard-failing if
>     they're unobtainable)?
>
> Happy to have that discussion at another time, but it's not germane to
> the discussion at hand, as I clearly indicated in the original message.
> It's necessary, but not sufficient, to have that, and we're not
> presently proposing addressing all the other necessary conditions. Baby
> steps.

Ryan, before I accept your side-stepping of my question, I would like 
everybody to fully understand precisely why you're saying that effective 
revocation checking would be "not sufficient" as an alternative to 
reducing certificate lifetimes.  ISTM that lots of folks do not grok you 
yet, so please humour me for a moment...

Let's pretend, for the duration of this sub-thread, that revocation is 
already 100% effective.  i.e., Whenever a CA clicks the "Revoke" button, 
magic things happen, and within an acceptably short period of time 100% 
of users are prevented from relying on that certificate.

Please would you enumerate precisely what, under these (currently 
pretend) conditions, you would consider to be the security benefits 
(that aren't already provided by effective revocation) of reducing the 
maximum permitted certificate lifetime?

Thanks.

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online




More information about the Public mailing list