[cabfpub] Pre-Ballot - Short-Life Certificates
Rich Smith
richard.smith at comodo.com
Fri Oct 24 05:40:55 MST 2014
I keep coming back to this same question every time this comes up, and I
have not received a satisfactory answer yet:
Why MUST a short lived certificate be issued without containing
revocation information?
Obviously there are browser members of this group who are as interested
in experimenting with this as some CA members. Great!! So why don't
those browser members formulate code which ignores revocation info based
upon the the Not Before and Not After dates? That solves the problem
without changing the certificate content requirements.
The simple fact of the matter is that revocation info in the certificate
MAY help SOME users IF the certificate gets revoked, and I have yet to
see anyone offer up any decent argument for why the revocation info
absolutely MUST NOT be present for short-lived certs to work. I'm open
to such an argument, but until I see it I remain opposed to a ballot to
allow any certificate to be issued without revocation information.
-Rich
On 10/24/2014 3:00 AM, Gervase Markham wrote:
> On 23/10/14 19:20, Rick Andrews wrote:
>> Gerv, I'm not sure that forbidding CAs to pre-issue short-lived certs
>> is auditable, or even desirable. If an attacker can get in to the
>> CA's database and extract information, that CA is in big trouble, not
>> specifically related to short-lived certs.
> The risk I am attempting to mitigate here is the one of the CA who
> pre-issues a whole year's worth of "short-lived" certs with sequential
> notBefore dates and passes them on to the customer as a block. If the
> customer is then compromised, it's as if the attacker had stolen a cert
> of a year's duration with no revocation information, because they can do
> exactly what the site was doing, and keep deploying a new one of the
> certs every day.
>
> So this is not a concern about CA compromise, but client compromise.
>
> I'm very open to alternative wordings which address this risk.
>
> Gerv
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
More information about the Public
mailing list