[Servercert-wg] Discussion Period Begins - Ballot SC-063: “Make OCSP Optional and Incentivize Automation”

Aaron Gable aaron at letsencrypt.org
Mon May 1 16:57:19 UTC 2023


On Thu, Apr 27, 2023, 09:36 Dimitris Zacharopoulos (HARICA) via
Servercert-wg <servercert-wg at cabforum.org> wrote:

> If people agree, I would like to keep the language for "online CAs" to
> issue CRLs at least once every 7 days but issue and publish within 4 hours
> if a Subscriber Certificate is revoked. That approach would propagate the
> "revocation message" sooner to Relying Parties and would also remove the
> unnecessary "cost" of issuing CRLs unnecessarily (i.e. if no revocations
> take place).
> Thoughts?
>

Although I appreciate the sentiment, I don't think a system like this can
be made to work meaningfully.

It's been long established on this list that a certificate is not
considered revoked until its new status is globally visible. This has led
to many incidents where a CA produced a new OCSP response within the
required 24-hour window, but that response wasn't visible (e.g. was hidden
behind cached copies of the old response) until after the 24-hour time
limit had passed.

In a world where CAs are not issuing OCSP at all, and are relying solely on
CRLs to publish revocation information, your proposal becomes cyclic: The
CA must publish their CRL within 4 hours of publishing their CRL.

Perhaps the phrasing could be turned inside out. Something like "when a CRL
is published, all new entries must have a revocationDate no more than 4
hours before the CRL's thisUpdate". But that phrasing seems torturous and
unclear as to the motivation behind it.

I would prefer to instead simply make a carve-out for CAs that have not
issued any certificates. Simply, the requirements proposed in this ballot
should only apply to CRLs whose cRLDistributionPoint has appeared in at
least one certificate. If no publicly-trusted cert has ever pointed a
client at this CRL URL, then there are no requirements to be publishing
CRLs at that URL. Once the CA has begun issuance, then the CRL requirements
should continue until it expires.

Aaron

>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230501/7380960a/attachment.html>


More information about the Servercert-wg mailing list