On 12/10/2018 20:01, Rob Stradling wrote:
On 12/10/18 16:40, Ryan Sleevi via dev-security-policy wrote:
On Fri, Oct 12, 2018 at 8:33 AM Ben Laurie <[email protected]> wrote:
<snip>
This is one of the reasons we also need revocation transparency.

As tempting as the buzzword is, and as much as we love motherhood and apple pie and must constantly think of the children, slapping transparency after
a word doesn't actually address the needs of the community or users, nor
does it resolve the challenging policy issues that arise. Just because
something is cryptographically verifiable does not mean it actually
resolves real world problems, or does not introduce additional ones.

A simpler solution, for example, is to maintain an archive of CRLs signed
by the CA. Which would address the need without the distraction, and
without having the technical equivalent of Fermat's Last Theorem being
invoked. Let's not let the perfect (and unspecified) be the enemy of the
good and reasonable.

FWIW, we (Comodo CA) do maintain an archive of all the CRLs we've ever signed.


FYI, the point would be for a third party to archive copies of the CRLs,
in order for the community to detect that CAs (do not) attempt to
falsify their history of past revocations.

It appears that crt.sh is already providing this service to the
community, albeit without a cryptographic timestamp signature on the
evidence that crt.sh had indeed seen specific CRLs before a certain
date/time.

However the mere existence of contradictory CRLs covering the same date
range would already be significant evidence against any such rogue CA.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to