[cabfpub] Why would effective revocation be "not sufficient"? (was Re: Draft Ballot 185 - Limiting the Lifetime of Certificates)

Ryan Sleevi sleevi at google.com
Mon Feb 6 12:49:57 MST 2017


To expand on this a little:

Imagine a world with perfect revocation that was 100% hard-fail, the
pretend solution to solve all of our woes.

Now imagine we wanted to introduce a change to the ecosystem - whether it
be replacing SHA-1 certificates, the introduction of Certificate
Transparency, changing how certificates are validated, or even more mundane
tasks like normalizing EKUs or policy OIDs.

Under that system - our world of perfect-revocation but still 39 months -
it means that even if the Forum adopts something by Ballot, it cannot be
relied on until 39 months + (time to phase requirement in). That is, if we
allow something like a 3-6 month window (to account for CAs' challenges in
updating systems or adopting new requirements), it's something like 42 - 45
months. For more substantial things that have a longer lead-in, which some
have requested, that may be as long as 51 months - over 4 years.

Until all certificates prior to the 'effective' date had elapsed, relying
party software cannot reliably enforce such constraints programatically
without the risk of 'breaking' some sites.

This is all known and well-understood, whether we're talking our pretend
world or the real world.

The question then becomes is: Does this pretend world help us at all? And I
would argue no, it does not. In order for the pretend world to have the
same benefits as reduced validity periods, we would need to require that
CAs *revoke* all existing (non-conforming) certificates at some time period
after the effective date - say, 13 months, since that's the proposal
currently on the table. 13 months after the effective date of a ballot, CAs
would have to revoke every extant certificate - and customers' sites would
then, from their POV, suddenly break.

For the CAs, this is surely undesirable. We've heard time and time again
from CAs about the challenges of communicating with their customers and
ensuring their customers prepare. I have full confidence that no amount of
CAs telling their customers "We're about to revoke you," there would still
be some non-trivial portion of users broken. I have this confidence because
under today's model, where the browsers are taking the action of enforcing
particular policies, CAs have the same obligation (to notify their
customers to update), and face the same challenges in communication and
preparedness.

For browsers, this is effectively the same as the status quo, as mentioned
above. In both cases, it results in a giant 'flag day' where sites break.
And while CAs no doubt view their relationships in terms of subscribers
(their customers), browsers view their relationships in terms of relying
parties. Even though it is the subscriber's fault, it's the relying party
who disproportionately bears the effect. Worse, as we know from studies and
phenomena such as "warning fatigue", that if the relying party is
encountering multiple subscribers who fail to prepare, then the RP gets
habituated to ignoring such warnings - making the ecosystem less secure.

This is where validity periods provide a natural backstop to these issues,
because it fits within the existing ecosystem for which subscribers are
already habituated towards - renewing certificates - and provides a natural
communication path for the subscriber and CA, in that the certificate
itself carries what the CA would say ("This certificate will stop being
acceptable on date X"), without having to rely on the CA finding a human
person who can parse and understand whatever message they're trying to
convey.

In this way, even with the world's most perfect revocation system, you
might view certificate validity as "The perfect communication mechanism"
('for any communication that requires changes within 13 months'). This is
complementary to revocation.

In my earlier message, I highlighted revocation as just one reason of many
as to why this is valuable. In my mind, the benefits of revocation are
actually far lower on the list compared to some of the other matters I
highlighted. And while I have no doubt that some CAs will (and have)
objected to some of my reasons, on their collective sum, the benefits are
substantial towards making positive change.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170206/58620f26/attachment-0001.html>


More information about the Public mailing list