[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates
Rob Stradling
rob.stradling at comodo.com
Mon Feb 6 11:40:12 UTC 2017
Is there anyone who believes that _expiration_ currently "works"?
When a typical browser encounters an expired server certificate, it
shows a warning that the user can click through. The user is only
advised to avoid harm. I wonder how many users don't heed that advice?
However, when a typical browser encounters a server certificate that it
knows to be revoked, it shows a warning that the user *cannot* click
through. The user is *forced* to avoid harm.
What's stopping browsers from treating expired certs in the same way
that they treat known revoked certs?
(FWIW, I've made this point before:
https://groups.google.com/d/msg/mozilla.dev.security.policy/T11up58JkFc/uMNrXQsIzf0J)
On 03/02/17 19:40, Richard Barnes via Public wrote:
> Is there anyone on the relying party side of the universe that believes
> revocation works? Even among browsers that send OCSP requests, none of
> them hard-fail if it doesn't work, because in practice, OCSP servers are
> so awful that HTTPS would become unusable. So OCSP is still, as AGL
> says, a seat belt that breaks when you crash. Seems fair to call that
> broken.
>
> Even if OCSP were magically to become usable, though, (or some
> replacement for it) this ballot would still be necessary for all the
> other reasons that have been discussed here.
>
>
> On Fri, Feb 3, 2017 at 11:34 AM, Rich Smith via Public
> <public at cabforum.org <mailto:public at cabforum.org>> wrote:
>
> Ryan, since you're using your age old FUD "revocation doesn't work"
> (because certain browsers have chosen not to consult revocation
> information) as part of the reasoning as to why this ballot is
> necessary, I think it's quite germane to the discussion.
>
>
> On 2/3/2017 11:38 AM, Ryan Sleevi via Public wrote:
>>
>>
>> On Fri, Feb 3, 2017 at 9:11 AM, Rob Stradling
>> <rob.stradling at comodo.com <mailto:rob.stradling at comodo.com>> wrote:
>>
>> Ryan, what targets
>> (filesize/performance/reliability/reachability/etc) would CAs
>> need to meet before it would become viable to reintroduce CRLs
>> to the WebPKI (i.e., for Chrome to start checking CRLs and
>> hard-failing if they're unobtainable)?
>>
>>
>> Happy to have that discussion at another time, but it's not
>> germane to the discussion at hand, as I clearly indicated in the
>> original message. It's necessary, but not sufficient, to have
>> that, and we're not presently proposing addressing all the other
>> necessary conditions. Baby steps.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list