Hi
This sounds like a really great plan!
Some comments:
* Have you considered adding support for multiple ocsp staples to allow
stapeling of CA certs?
* Why not allow short-lived CA certs without revocation info, just like
EE certs?
* While must-staple and short-lived certificates seem to be scalable
solutions, OneCRL seems to be a hack needed to make things work in the
current situation. It would be nice if this could be explicitly stated,
and even better if you could declare it as a temporary solution intended
to be used only until more scalable solutions are specced, implemented
and deployed.
-
Jesper Kristensen
Den 01-08-2014 kl. 04:07 skrev Richard Barnes:
Hi all,
We in the Mozilla PKI team have been discussing ways to improve revocation checking in
our PKI stack, consolidating a bunch of ideas from earlier work [1][2] and some
maybe-new-ish ideas. I've just pressed "save" on a new wiki page with our
initial plan:
https://wiki.mozilla.org/CA:RevocationPlan
It would be really helpful if people could review and provide feedback on this
plan.
There's one major open issue highlighted in the wiki page. We're planning to
adopt a centralized revocation list model for CA certificates, which we're
calling OneCRL. (Conceptually similar to Chrome's CRLsets.) In addition to
covering CA certifcates, we're also considering covering some end-entity (EE)
certificates with OneCRL too. But there are some drawbacks to this approach,
so it's not certain that we will include this in the final plan. Feedback on
this point would be especially valuable.
Thanks a lot,
--Richard
[1] https://wiki.mozilla.org/CA:ImprovingRevocation
[2] https://www.imperialviolet.org/2012/02/05/crlsets.html
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
