[cabfpub] Pre-Ballot - Short-Life Certificates
gerv at mozilla.org
Thu Nov 6 06:13:45 MST 2014
On 06/11/14 12:39, i-barreira at izenpe.net wrote:
> 1.- if something happens on day one and they let the certificate
> expire in day 3, many users of that site are in risk, for a limited
> time but in risk depending on what happened and the site accesses.
You are comparing this proposal with "revocation in a perfect world".
You need to compare it with revocation in the real world under realistic
Let's take Iran. It MITMed its entire population for a month using
stolen certs. It was perfectly capable of blackholing OCSP requests,
even if Diginotar had bothered to revoke the certs. Or, if there was
must-staple, they can cache a valid OCSP response and staple it for the
lifetime of the response - which may well be longer than the 2 days the
short-lived cert will work for.
> 3.- about the call-backs I´m with Rick, maybe you reduce the number
> of OCSP calls, but you increase the number of CA request for a
> certificate, which is best?
That's up to each CA and site to negotiate. If you think it doesn't work
for you as a CA, then don't implement it. But voting against it merely
because you don't want to implement it would be anti-competitive.
> 5.- As usual, everything that has to be done is under CA efforts. If
> something is requested to the browsers to change (for example the
> discussion on distinguish the OV and DV) is useless because they
> don´t want to do it and they control the votings because with one
> which says no, that´s enough for the ballot failure. I don´t think is
This change requires no action by any CA which doesn't want to take action.
> 9.- If short-live certs have no revocation entry how they can provide
> shorter revocation window? BTW, the BRs mandate the use of a
> mechanism for informing subscribers of the status of the certificate.
The fact that such a mechanism must exist doesn't necessarily mean it
works. See above.
> In summary, I don´t know if this is for trying to convince to the
> rest of the CAs that the benefits of these certificates.
No. You don't need to be convinced of their benefits. Voting only to
enable a product because you think it's a good product and you want to
produce it would be anti-competitive. The question is: is is any less
_secure_? We argue not.
More information about the Public