[cabfpub] FWD: New directions in certificate status

Phill philliph at comodo.com
Thu Oct 16 16:42:14 UTC 2014

Please note:

Also note the pending IPR disclosure.

In brief Rob Stradling and myself have come up with a radically new
approach to certificate status that is vastly more efficient than any
previous proposal that provides finer grain certificate status than
the certificate validity interval.

While compressing hash tables might appear to be a fools errand, it
turns out that if the problem is correctly understood, CRLs actually
compress astonishingly well. It is actually possible to represent the
status of every one of the half million revoked certificates in the
WebPKI using fewer bytes than the heavily edited Google CRLSet.

There is still a powerful case for short lived certificates. But the
minimum feasible expiry interval for short lived certs is 48 hours.
Using a compressed CRL in combination with short lived certs would
allow the vulnerability window to be reduced to minutes.

We are of course aware that deployment will require a licensing regime
that meets the need of all parties including competing CAs, open
source software providers, etc. However lacking an existing licensing
regime for the rights holder (if indeed any are granted), I thought it
best to bring this to people's attention first.

The nature of the invention is such that not applying for a patent
would open the possibility that someone else might make a claim as has
happened to me on numerous other occasions. In the past five years
over $50 million has been spent on defending against such patent

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141016/2eee8461/attachment-0002.html>

More information about the Public mailing list