On 17/11/14 17:47, Nico Williams wrote:
On Sat, Nov 15, 2014 at 3:56 PM, Phillip Hallam-Baker wrote:
<snip>
I have a different set of proposals:
1) Stapled OCSP with MUST-STAPLE OID
2) Short lived Certificates
2a) With the same key
2b) With different keys
3) CRLs with HBS compression.
+1
On 17/11/14 15:52, Ben Laurie wrote:
<snip>
FWIW, we (Google) are interested in doing the same thing for revocation
that CT does for certs - i.e. providing a verifiable log/map of
revocation status.
I'm interested in making revocation checking for the WebPKI actually
work when it needs to work! And that means finding a way for browsers
to be able to hard-fail when revocation status is unobtainable.
TBH, I'm growing weary of OCSP Stapling. It's still going to be years
before there's any chance of it being deployed ubiquitously. And I've
seen some resistance to having OCSP Stapling enabled by default on the
server-side.
Must-Staple is selective hard-fail. It doesn't stop a compromised CA
from misissuing a cert without Must-Staple for www.domain.com.
Ultimately, we need browsers to always hard-fail, at which point
Must-Staple would become redundant.
Short-lived certs are awkward until servers can somehow automate the
process of requesting and installing new certificates. And it's a
problem that browsers don't treat certificate expiration as harshly as
they treat certificate revocation.
The direction the browsers have been heading in (first Chrome with
CRLSets, and now Firefox with OneCRL) is for the browser provider to
construct a curated "global CRL" and push this to users via the
browser's regular update mechanism. The biggest problem I've seen with
these "global CRL" solutions is that they don't cover the majority of
certs...
...which is why I'm excited about CRLs with HBS compression. :-)
I'm also excited about Ben's Revocation Transparency proposal. This
would be perfect as a trusted source for generating _truly_ "global
CRLs" with HBS compression. :-)
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
therightkey mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/therightkey
