[cabfpub] Pre-Ballot - Short-Life Certificates

Rich Smith richard.smith at comodo.com
Fri Oct 24 05:40:55 MST 2014


I keep coming back to this same question every time this comes up, and I 
have not received a satisfactory answer yet:
Why MUST a short lived certificate be issued without containing 
revocation information?

Obviously there are browser members of this group who are as interested 
in experimenting with this as some CA members.  Great!! So why don't 
those browser members formulate code which ignores revocation info based 
upon the the Not Before and Not After dates? That solves the problem 
without changing the certificate content requirements.

The simple fact of the matter is that revocation info in the certificate 
MAY help SOME users IF the certificate gets revoked, and I have yet to 
see anyone offer up any decent argument for why the revocation info 
absolutely MUST NOT be present for short-lived certs to work.  I'm open 
to such an argument, but until I see it I remain opposed to a ballot to 
allow any certificate to be issued without revocation information.

-Rich

On 10/24/2014 3:00 AM, Gervase Markham wrote:
> On 23/10/14 19:20, Rick Andrews wrote:
>> Gerv, I'm not sure that forbidding CAs to pre-issue short-lived certs
>> is auditable, or even desirable. If an attacker can get in to the
>> CA's database and extract information, that CA is in big trouble, not
>> specifically related to short-lived certs.
> The risk I am attempting to mitigate here is the one of the CA who
> pre-issues a whole year's worth of "short-lived" certs with sequential
> notBefore dates and passes them on to the customer as a block. If the
> customer is then compromised, it's as if the attacker had stolen a cert
> of a year's duration with no revocation information, because they can do
> exactly what the site was doing, and keep deploying a new one of the
> certs every day.
>
> So this is not a concern about CA compromise, but client compromise.
>
> I'm very open to alternative wordings which address this risk.
>
> Gerv
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public



More information about the Public mailing list