On Fri, Oct 12, 2018 at 8:33 AM Ben Laurie <b...@google.com> wrote: > > > On Fri, 12 Oct 2018 at 03:16, Ryan Sleevi via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> I believe that may be misunderstanding the concern. >> >> Once these certificates expire, there's not a good way to check whether or >> not they were revoked, because such revocation information may be culled >> after certificate expiration. >> >> Similarly, if one is looking to verify the claims about revocation dates >> and timelines, once those are culled from the CRLs, you can only >> demonstrate with past CRLs or responses that may have been archived. >> >> The concern about December 6 represents when some of the certificates >> begin >> to expire, and thus being able to examine whether or not and when things >> were done may no longer be available. >> > > This is one of the reasons we also need revocation transparency. >
As tempting as the buzzword is, and as much as we love motherhood and apple pie and must constantly think of the children, slapping transparency after a word doesn't actually address the needs of the community or users, nor does it resolve the challenging policy issues that arise. Just because something is cryptographically verifiable does not mean it actually resolves real world problems, or does not introduce additional ones. A simpler solution, for example, is to maintain an archive of CRLs signed by the CA. Which would address the need without the distraction, and without having the technical equivalent of Fermat's Last Theorem being invoked. Let's not let the perfect (and unspecified) be the enemy of the good and reasonable. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy