<div dir="auto"><div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Apr 27, 2023, 09:36 Dimitris Zacharopoulos (HARICA) via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org">servercert-wg@cabforum.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><p>If people agree, I would like to keep the language for "online
CAs" to issue CRLs at least once every 7 days but issue and
publish within 4 hours if a Subscriber Certificate is revoked.
That approach would propagate the "revocation message" sooner to
Relying Parties and would also remove the unnecessary "cost" of
issuing CRLs unnecessarily (i.e. if no revocations take place).<br></p>
Thoughts?<br></div></blockquote></div></div><div dir="auto"><br></div><div dir="auto">Although I appreciate the sentiment, I don't think a system like this can be made to work meaningfully.</div><div dir="auto"><br></div><div dir="auto">It's been long established on this list that a certificate is not considered revoked until its new status is globally visible. This has led to many incidents where a CA produced a new OCSP response within the required 24-hour window, but that response wasn't visible (e.g. was hidden behind cached copies of the old response) until after the 24-hour time limit had passed.</div><div dir="auto"><br></div><div dir="auto">In a world where CAs are not issuing OCSP at all, and are relying solely on CRLs to publish revocation information, your proposal becomes cyclic: The CA must publish their CRL within 4 hours of publishing their CRL.</div><div dir="auto"><br></div><div dir="auto">Perhaps the phrasing could be turned inside out. Something like "when a CRL is published, all new entries must have a revocationDate no more than 4 hours before the CRL's thisUpdate". But that phrasing seems torturous and unclear as to the motivation behind it.</div><div dir="auto"><br></div><div dir="auto">I would prefer to instead simply make a carve-out for CAs that have not issued any certificates. Simply, the requirements proposed in this ballot should only apply to CRLs whose cRLDistributionPoint has appeared in at least one certificate. If no publicly-trusted cert has ever pointed a client at this CRL URL, then there are no requirements to be publishing CRLs at that URL. Once the CA has begun issuance, then the CRL requirements should continue until it expires.</div><div dir="auto"><br></div><div dir="auto">Aaron</div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div></div>
</blockquote></div></div></div>