[cabfpub] Why would effective revocation be "not sufficient"? (was Re: Draft Ballot 185 - Limiting the Lifetime of Certificates)
Rob Stradling
rob.stradling at comodo.com
Mon Feb 6 15:04:43 UTC 2017
On 03/02/17 17:38, Ryan Sleevi wrote:
> On Fri, Feb 3, 2017 at 9:11 AM, Rob Stradling wrote:
> Ryan, what targets
> (filesize/performance/reliability/reachability/etc) would CAs need
> to meet before it would become viable to reintroduce CRLs to the
> WebPKI (i.e., for Chrome to start checking CRLs and hard-failing if
> they're unobtainable)?
>
> Happy to have that discussion at another time, but it's not germane to
> the discussion at hand, as I clearly indicated in the original message.
> It's necessary, but not sufficient, to have that, and we're not
> presently proposing addressing all the other necessary conditions. Baby
> steps.
Ryan, before I accept your side-stepping of my question, I would like
everybody to fully understand precisely why you're saying that effective
revocation checking would be "not sufficient" as an alternative to
reducing certificate lifetimes. ISTM that lots of folks do not grok you
yet, so please humour me for a moment...
Let's pretend, for the duration of this sub-thread, that revocation is
already 100% effective. i.e., Whenever a CA clicks the "Revoke" button,
magic things happen, and within an acceptably short period of time 100%
of users are prevented from relying on that certificate.
Please would you enumerate precisely what, under these (currently
pretend) conditions, you would consider to be the security benefits
(that aren't already provided by effective revocation) of reducing the
maximum permitted certificate lifetime?
Thanks.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list