Curious to know the process by which cert holders will get their certs added to these lists. How much of that flow and the necessary security measures have been worked out?
Original Message From: Richard Barnes Sent: Thursday, August 7, 2014 3:59 PM To: Rob Stradling Cc: mozilla-dev-tech-cry...@lists.mozilla.org; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: New wiki page on certificate revocation plans On Aug 7, 2014, at 9:47 AM, Rob Stradling <rob.stradl...@comodo.com> wrote: > http://dev.chromium.org/Home/chromium-security/crlsets says: > "The limit of the CRLSet size is 250KB" > > Have Mozilla decided what the maximum OneCRL size will be? No, we haven't. The need for a limit largely depends on whether we cover EE certificates. If we cover only intermediate CAs, of which there are roughly 1,800, then there is no size issue -- we can include the full SHA-256 digest of every CA certificate and only come to around 56KB. (Or just use a 1800-bit bitmap!) If we choose to cover EE certificates (as CRLSets do), then we will have to impose a size limit. In some initial experiments in representing CRLs with Golomb compressed encoding, we've been able to get down to roughly N bits per entry for 2^-N false positive rate. Since we'll still have OCSP as a fall-back, we can tolerate a high failure rate, maybe as high as 0.5% (2^-9). At that rate, a 250KB limit would fit around 220,000 CRL entries. So we would need to do some experimentation to see how that capacity compares to the size of CRLs in the wild. --Richard > > On 01/08/14 03:07, Richard Barnes wrote: >> Hi all, >> >> We in the Mozilla PKI team have been discussing ways to improve revocation >> checking in our PKI stack, consolidating a bunch of ideas from earlier work >> [1][2] and some maybe-new-ish ideas. I've just pressed "save" on a new wiki >> page with our initial plan: >> >> https://wiki.mozilla.org/CA:RevocationPlan >> >> It would be really helpful if people could review and provide feedback on >> this plan. >> >> There's one major open issue highlighted in the wiki page. We're planning to >> adopt a centralized revocation list model for CA certificates, which we're >> calling OneCRL. (Conceptually similar to Chrome's CRLsets.) In addition to >> covering CA certifcates, we're also considering covering some end-entity >> (EE) certificates with OneCRL too. But there are some drawbacks to this >> approach, so it's not certain that we will include this in the final plan. >> Feedback on this point would be especially valuable. >> >> Thanks a lot, >> --Richard >> >> [1] https://wiki.mozilla.org/CA:ImprovingRevocation >> [2] https://www.imperialviolet.org/2012/02/05/crlsets.html > > -- > Rob Stradling > Senior Research & Development Scientist > COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
