Why does OneCRL seem like a hack? Considering how infrequently intermediates and roots are revoked, OneCRL seems like a satisfactory way to provide this information long-term, provided that the certs are removed from OneCRL at some point. I'd think they could safely remove the OneCRL certs after the listed cert expires. For EE, OneCRL is only necessary where the other methods of revocation are considered insufficient. If hard-fail OCSP is turned on (the last point), then OneCRL for EE certs becomes obsolete.
Jeremy -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert....@lists.mozilla.org] On Behalf Of Jesper Kristensen Sent: Saturday, August 2, 2014 8:21 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: New wiki page on certificate revocation plans Hi This sounds like a really great plan! Some comments: * Have you considered adding support for multiple ocsp staples to allow stapeling of CA certs? * Why not allow short-lived CA certs without revocation info, just like EE certs? * While must-staple and short-lived certificates seem to be scalable solutions, OneCRL seems to be a hack needed to make things work in the current situation. It would be nice if this could be explicitly stated, and even better if you could declare it as a temporary solution intended to be used only until more scalable solutions are specced, implemented and deployed. - Jesper Kristensen Den 01-08-2014 kl. 04:07 skrev Richard Barnes: > Hi all, > > We in the Mozilla PKI team have been discussing ways to improve revocation > checking in our PKI stack, consolidating a bunch of ideas from earlier work > [1][2] and some maybe-new-ish ideas. I've just pressed "save" on a new wiki > page with our initial plan: > > https://wiki.mozilla.org/CA:RevocationPlan > > It would be really helpful if people could review and provide feedback on > this plan. > > There's one major open issue highlighted in the wiki page. We're planning to > adopt a centralized revocation list model for CA certificates, which we're > calling OneCRL. (Conceptually similar to Chrome's CRLsets.) In addition to > covering CA certifcates, we're also considering covering some end-entity (EE) > certificates with OneCRL too. But there are some drawbacks to this approach, > so it's not certain that we will include this in the final plan. Feedback on > this point would be especially valuable. > > Thanks a lot, > --Richard > > [1] https://wiki.mozilla.org/CA:ImprovingRevocation > [2] https://www.imperialviolet.org/2012/02/05/crlsets.html > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
