[cabfpub] Pre-Ballot - Short-Life Certificates

Gervase Markham gerv at mozilla.org
Thu Nov 6 02:23:55 MST 2014


On 05/11/14 19:11, Tim Hollebeek wrote:
> I haven't seen any argument made that this type of certificate "is
> not permitted" by the Forum.

I also addressed this further up-thread.

The forum does permit certificates with a lifetime of 3 days. The forum
does not permit certificates without revocation markers.

Certificates with a lifetime of 3 days without revocation markers are
significantly more useful than certificates with a lifetime of 3 days
that have revocation markers. The reason for this is that one of the
problems with current revocation mechanisms (e.g. OCSP) that people are
trying to deal with is that they require a time-consuming network
request which blocks the entire load of the page. Removing the
revocation markers avoids that load in all current browsers. This
avoidance of slowdown, taken in itself, is clearly a win for users.

Deployment of short-life certs involves engineering effort for both CA
and site. There is significantly more incentive to make that effort if
the benefits can be felt on every browser, not just on the percentage
which have special treatment for short-life certs.

But all of that is kind of irrelevant. The question before the forum is
this:

Considering the way revocation works on the internet today, do
certificates with no revocation pointers and a 2-day lifetime* have
broadly equivalent security properties to an N-year cert with revocation
pointers?

I think the case has been well made for "yes", given current mandated
OCSP lifetimes, the ability of network-controlling attackers to block
OCSP responses, and many other points. But each must make their own
judgement.

If you believe the answer is yes, you should vote for the ballot. If you
believe the answer is no, you should vote against. Points like "this
won't work" are irrelevant - if you think it won't work, don't deploy
it. No-one is forced to issue such certs.

Gerv


* In practice, it's 2 days rather than 3 because the expected issuance
model is to backdate 1 day to account for clock skew.


More information about the Public mailing list