[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates

Rob Stradling rob.stradling at comodo.com
Fri Feb 3 17:11:15 UTC 2017 

On 03/02/17 07:19, Jeremy Rowley via Public wrote:
> On 02/02/17 22:40, Ryan Sleevi via Public wrote:
<snip>
>> It's also important to consider that shorter-lived certs create the
>> opportunity to make CRLs *more* viable and performant, which might be
>> able to see their reintroduction in the WebPKI. A significant challenge
>> to the CRL problem has been the fact that many (too many) CAs have
>> deployed their CRLs incredibly inefficiently. By allowing shorter
>> expiration, we allow CRLs to be smaller, and thus improve the security
>> of the ecosystem by making them more reliable. I'll note that this isn't
>> a perfect solution - there are still other normative requirements needed
>> to reform CA's practices, since too many have trouble reading or
>> understanding their business or RFC 5280 - but it's an important step
>> into making these more viable.
>
> * Would Google actually start checking revocation using standard CRL
> processes with shorter lived certs? I’m skeptical. When Google removed
> CRL checking, it wasn’t the size they complain about the most – it was
> the performance, the out-of-bands look up, and the reliability of
> certain CAs. Would Google simple add all certs to their CRLs?

Ryan, what targets (filesize/performance/reliability/reachability/etc) 
would CAs need to meet before it would become viable to reintroduce CRLs 
to the WebPKI (i.e., for Chrome to start checking CRLs and hard-failing 
if they're unobtainable)?

Also, OCSP.  What targets would CAs need to meet before it would become 
viable for Chrome to start doing online OCSP checks again, and to start 
hard-failing?
Since Chrome stopped doing online OCSP checks a few years ago, many CAs 
have moved their OCSP responders on to CDNs.  Here's a picture of the 
current landscape from one vantage point:
http://uptime.netcraft.com/perf/reports/performance/OCSP?orderby=avg_total
Are these improvements enough?

Thanks.

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list