[cabfpub] Ballot 185 - Next steps

philliph at comodo.com philliph at comodo.com
Fri Feb 24 09:27:43 MST 2017


> On Feb 24, 2017, at 4:35 AM, Dimitris Zacharopoulos via Public <public at cabforum.org> wrote:
> 
> I believe this is not exactly our view, nobody is arguing that 13 months is not more secure than 39 or 27 months. 

I am.

The revocation infrastructure is currently calibrated to limit validity of a revoked cert to a maximum 7 days. I would like to reduce that to 1 day for ordinary revocation and 15 minutes for extraordinary revocation.

If you do revocation, the window of vulnerability is reduced from 400 days to 7 (or less).


In my design for a client side PKI, I abandoned the notion of validity intervals entirely over two years ago. They are neither necessary nor particularly useful in the modern Internet. While the approaches that make that possible could be carried over to the WebPKI, getting rid of validity intervals is obviously infeasible given the legacy code base.




More information about the Public mailing list