[cabfpub] Pre-Ballot - Short-Life Certificates
Gervase Markham
gerv at mozilla.org
Fri Oct 24 13:12:59 UTC 2014
On 24/10/14 13:40, Rich Smith wrote:
> I keep coming back to this same question every time this comes up, and I
> have not received a satisfactory answer yet:
> Why MUST a short lived certificate be issued without containing
> revocation information?
And I keep asking it every time you ask: because putting in revocation
information eliminates 90% of their advantage, because there is then no
advantage in all the currently-existing clients. A short-lived cert with
revocation pointers will still incur the delay of revocation checking,
even though (this is the argument, and the argument with which I hope
you will engage) it's not necessary to provide them because the security
properties of a 3-day cert are broadly comparable to a 1-year cert with
10-day, 5-day or 3-day-expiry OCSP responses.
> The simple fact of the matter is that revocation info in the certificate
> MAY help SOME users IF the certificate gets revoked, and I have yet to
> see anyone offer up any decent argument for why the revocation info
> absolutely MUST NOT be present for short-lived certs to work.
No one is arguing that it MUST NOT be present for short-lived
certificates to "work". But if a site and a CA are together considering
deploying such a technology, they will look at the costs and benefits.
There will be significant costs in setting up the system; if the
benefits are only in 5% or 10% of clients, it may well be judged not to
be worth it.
> I'm open
> to such an argument, but until I see it I remain opposed to a ballot to
> allow any certificate to be issued without revocation information.
I don't understand this position. Surely the acceptability or not of
short-lived certificates should depend on whether their security
properties are broadly comparable to existing solutions, not on whether
I can construct an argument that shows it's required to remove the
revocation information for it to be technically feasible to deploy them?
Gerv
More information about the Public
mailing list