[cabfpub] Pre-Ballot - Short-Life Certificates
Eddy Nigg
eddy_nigg at startcom.org
Tue Oct 28 02:17:58 MST 2014
You nailed it Kirk, excellent! As such the risks for short-lived
certificates remains and doesn't go away really, but that's another issue.
On 10/28/2014 01:43 AM, kirk_hall at trendmicro.com wrote:
> Gerv, I've pasted in your original response to this question below.
>
> If I can summarize, you don't want revocation pointers in new "short lived certs" as defined because legacy browsers and apps (i.e., every browser and app in use today) will continue to check for revocation information, thereby lowering the benefit of this new type of cert. (You estimated 90% will still check for revocation -- but is that number realistic under Google's and Mozilla's current revocation checking processes? I thought revocation checking was already omitted today for many long-lived certs...)
>
> My question back is: how long would it take Firefox and Google (and other interested browsers) to modify your browser software as Tim and Rich have suggested - ignore revocation pointers if the cert is a short lived cert? And how quickly would those code changes get distributed to your users?
>
> The burden of revocation checking falls mostly on CAs, and it can only get better (fewer revocation checks) if some browsers decide not to check revocation for (self-designated) short lived cert by modifying their software. So why not just move forward as browsers to do this? The revocation checking burden on CAs that decide to start issuing short-lived certs would not go up as compared to current long lived certs, and over time (maybe quickly) would go down.
>
> Having said that, Trend Micro is not yet convinced this is a good idea for the reasons stated by others -- but the browsers don't have to wait if they think the risk from eliminating revocation checking for short lived certs is acceptable.
--
Regards
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141028/e236ae93/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4313 bytes
Desc: S/MIME Cryptographic Signature
Url : https://cabforum.org/pipermail/public/attachments/20141028/e236ae93/attachment-0001.bin
More information about the Public
mailing list