Hey all,
Just to let you know: I've updated this wiki page and removed the {{draft}}
indication at the top. I'm considering this the plan of record for now.
https://wiki.mozilla.org/CA:RevocationPlan
The primary edit was with regard to OneCRL covering EE certificates. For now,
we're considering that off the table, and focusing on CA certificates. Once we
have something there, we might re-consider whether some EE certificates can be
covered. For example, the space of EV certificates seems small enough (~40K
IIRC) that it might be feasible to cover with OneCRL.
Thanks to all for the discussion.
--Richard
On Aug 7, 2014, at 4:23 PM, Richard Barnes <rbar...@mozilla.com> wrote:
>
> On Aug 4, 2014, at 9:21 AM, Rob Stradling <rob.stradl...@comodo.com> wrote:
>
>> On 04/08/14 14:16, Gervase Markham wrote:
>>> On 02/08/14 15:20, Jesper Kristensen wrote:
>>>> * Have you considered adding support for multiple ocsp staples to allow
>>>> stapeling of CA certs?
>>>
>>> There is a proposed standard for multi-stapling but as far as I remember
>>> it's not even finished yet, yet alone implemented and deployed. We
>>> decided that we can't wait for it.
>>
>> FWIW, it's a Standards Track RFC now.
>>
>> http://tools.ietf.org/html/rfc6961
>>
>> I'm not aware of any implementations though.
>
>
> Funny enough, I'm an author on RFC 6169 :)
> http://tools.ietf.org/html/rfc6169
>
> Multi-stapling seems like a reasonable idea in principle. However, given the
> lack of implementation, it seems like a OneCRL-like strategy for
> intermediates is likely to have more impact faster.
>
> --Richard
>
>
>
>>
>>>> * Why not allow short-lived CA certs without revocation info, just like
>>>> EE certs?
>>>
>>> I'm not sure there are any CAs out there who would like to get their
>>> root key out of it secure storage every 3 days.
>>
>> Ouch. Painful.
>>
>>>> * While must-staple and short-lived certificates seem to be scalable
>>>> solutions, OneCRL seems to be a hack needed to make things work in the
>>>> current situation. It would be nice if this could be explicitly stated,
>>>> and even better if you could declare it as a temporary solution intended
>>>> to be used only until more scalable solutions are specced, implemented
>>>> and deployed.
>>>
>>> It's not a temporary solution for intermediate certs. Well, perhaps it's
>>> possible that multi-stapling could eventually supplant it (if TCP init
>>> windows also enlarge) but I don't think it's really necessary to
>>> speculate on that yet.
>>>
>>> Gerv
>>>
>>>
>>> _______________________________________________
>>> dev-security-policy mailing list
>>> dev-security-policy@lists.mozilla.org
>>> https://lists.mozilla.org/listinfo/dev-security-policy
>>>
>>
>> --
>> Rob Stradling
>> Senior Research & Development Scientist
>> COMODO - Creating Trust Online
>>
>> _______________________________________________
>> dev-security-policy mailing list
>> dev-security-policy@lists.mozilla.org
>> https://lists.mozilla.org/listinfo/dev-security-policy
>
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
