[cabfpub] [cabfman] Notes of meeting, CAB Forum, 21 March 2013, Version 1

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Fri Mar 22 21:14:36 UTC 2013

On 03/22/2013 09:47 PM, From Jeremy Rowley:
> Why?  What risks do short lived certificates provide over other types 
> of certificates.

First of all I don't believe that there can be a robust mechanism to 
issue certificates with such a frequency where the CA does its pre and 
post issuance diligence. I'd consider such issuance more risky than a 
controlled and supervised manner (assuming that CAs did implement some 
due diligence for issuing certificates in the post Diginotar aera). This 
is my main objection and critical in my opinion.

Second, for an attacker 3 - 7 days is a long time to achieve their goals 
most of the time, by repeating same attack which would go undetected due 
to the above mentioned missing diligence, this could go on for a while.

Third, most software (browsers and other clients) check revocation 
usually on a higher frequency then possible nextUpdate fields in OCSP 
and CRLs, specially when relying on OCSP. Removing revocation status DPs 
will allow an attacker to complete his attack happily even if the CA has 
become aware of it. Software updates wouldn't be fast enough either.

Forth, browsers don't check revocation status all at the same time, 
making attacks more difficult when revocation status DPs are defined 
(system restarts, first access, access after 24 hours depending on 
software trigger a revocation status check). This will make an attack 
less reliable and also detectable by the client (if configured correctly).

Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130322/14a6d936/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130322/14a6d936/attachment-0001.p7s>

More information about the Public mailing list