[cabfpub] Certificate lifetimes: end state or trajectory?

Kirk Hall Kirk.Hall at entrustdatacard.com
Fri Mar 3 20:34:06 UTC 2017


Gerv - on the issue of revocation checking, not everyone is asking for browsers to turn on hard fail if the browser fails to get a response to a revocation query in a reasonable time..  We would be very happy to continue with soft fail - but please, turn on revocation checking again.  Even if the browser doesn't get a timely response in (say) 10% of queries, if it does receive a response "revoked" in the other 90% of queries, and displays that to users, that would be a great increase in user security.

In my view, for revocation checking the choices are not "hard fail for non-response" (which no one is asking for) or "no revocation checking at all".

-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham via Public
Sent: Friday, March 3, 2017 8:46 AM
To: Phillip Hallam-Baker <philliph at comodo.com>; 'CA/Browser Forum Public Discussion List' <public at cabforum.org>
Cc: Gervase Markham <gerv at mozilla.org>
Subject: Re: [cabfpub] Certificate lifetimes: end state or trajectory?

Hi Philip,

On 03/03/17 16:14, Phillip Hallam-Baker wrote:
> Going from 2 years to 1 or even 90 days makes no significant 
> difference to security in my view. The only way to make a significant 
> difference is to take the vulnerability window down to 3 days or less 
> by requiring effective revocation.

You keep making this point, but it assumes incorrectly that the reason for reducing certificate lifetimes is to reduce the "vulnerability window". That's simply not the case. No-one is arguing "we should reduce certificate lifetimes because then we don't have to bother with revocation at all".

> Right now we have a situation where certain people are loudly 
> asserting that we can't do effective revocation because it requires X 
> and simultaneously asserting that we must make other measures that are 
> less effective but also require X.

What is X in your example?

I would be more open to listening to your thoughts on revocation if found you could clearly articulate all the reasons for Mozilla's position regarding why we think OCSP hard-fail for every cert is not possible (even if you didn't agree with it). Then you could tell me how whatever plans you have address all those issues. But regardless, let's do that in another thread, because this one is not about revocation.

> CAs and Browser providers naturally have different views on the last 
> as site administrators are our customers. So a proposal that requires 
> hundreds of thousands of site admins to spend hours or days 
> implementing a change is a major issue for CAs.

This is another of those "if this is true, something is very wrong"
moments. If it takes hours or days to replace a cert, something is very wrong. Moving from 2 years to 1 year makes it happen twice as often. If it's taking that long, this customer needs automation whether certs are
2 years or 1 year in duration.

Gerv

_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public



More information about the Public mailing list