On Wed, Jul 24, 2024 at 07:49:32PM +0000, Jeremy Rowley wrote:
> > 1. What is the motivation for an organisation to take the time and effort
> to identify all problematic certificates? These organisations apparently
> don't have the available resources to fix the current problems, what will
> their reaction be to being asked to do even more work?
>
> I think you'd find organizations willing to admit this information upfront
> if it was the only way to delay revocation past the required timeframe.
But I don't see this as being the case in this proposal. There's
nothing that changes the status quo with regards to CA decision making
when it comes to deciding whether to delay revocation on other
(non-nominated) certificates.
If a CA were to, say, make a binding commitment that, in the event of
delayed revocation of non-nominated certificates, the CA would pay
$10,000 per certificate-hour to a specified charity or else voluntarily
remove themselves from all root stores, *that* would be something worth
paying attention to, as a real commitment that the CA cared to push the
idea forward.
> I think disclosure is cost of not being able to revoke in 5 days. I
> definitely agree with you that disclosing this information would be hard to
> make happen, but the cost to set up the experiment is pretty low.
I agree, the cost to setup the experiment is pretty low -- and it also
doesn't require ecosystem-wide consensus. A forward-thinking CA could
perform the experiment on their own: contact all their customers, stating
that, in the event of a need to revoke, the CA won't even consider
taking the hit and delaying revocation unless the customer has
previously nominated the impacted certificate as being potentially
problematic, along with the explanation for why. Publish that data,
raw, with serial numbers filed off, for analysis by the community.
This would allow said forward-thinking CA to gather the data that Tim's
proposal suggested (and I agree) would be useful, and would, I presume,
look good in the event that the CA *did* have to do a delayed revocation
("see, at least we *tried*!").
- Matt
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/7ce2d050-b796-41d0-8bdf-2deeef641cfd%40mtasv.net.
