Also, the amount of work necessary to make Certificate Transparency work with three day certificates is probably not worth the effort.
It's not that you can't do it ... the easiest way is to break the 1-1 correspondence between SCTs and certificates, and make allowances for issuing a series of certificates that are identical except for serial numbers and dates, and can all reasonably share the same CT entry. But that's a non-trivial redesign. Blowing up CT logs by a factor of 100 is also possible but less desirable. I was a huge fan of the extremely short-lived cert idea, but I think it's time may have passed. The compressed CRL stuff that browsers are already contemplating and deploying is a better path forward. -Tim From: TLS <tls-boun...@ietf.org> On Behalf Of Salz, Rich Sent: Sunday, October 2, 2022 9:14 AM To: Phillip Hallam-Baker <i...@hallambaker.com> Cc: tls@ietf.org Subject: Re: [TLS] OCSP and browsers > Now we have ACME, why not move to 3 day certs issued daily and avoid the need > for revocation entirely? Not all CA's in use on the WebPKI support ACME. Automating a single-host to renew every 48 hours (have to allow for faults and retries) is okay, as long as you are confident your site will not be done during the "get new cert" window. As you scale up to millions of sites and/or thousands of locations, it's much less simple. But I'm still looking for an answer about what browsers and OCSP see as their future.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
