On 12/10/18 16:40, Ryan Sleevi via dev-security-policy wrote:
On Fri, Oct 12, 2018 at 8:33 AM Ben Laurie <b...@google.com> wrote:
<snip>
This is one of the reasons we also need revocation transparency.
As tempting as the buzzword is, and as much as we love motherhood and apple
pie and must constantly think of the children, slapping transparency after
a word doesn't actually address the needs of the community or users, nor
does it resolve the challenging policy issues that arise. Just because
something is cryptographically verifiable does not mean it actually
resolves real world problems, or does not introduce additional ones.
A simpler solution, for example, is to maintain an archive of CRLs signed
by the CA. Which would address the need without the distraction, and
without having the technical equivalent of Fermat's Last Theorem being
invoked. Let's not let the perfect (and unspecified) be the enemy of the
good and reasonable.
FWIW, we (Comodo CA) do maintain an archive of all the CRLs we've ever
signed.
--
Rob Stradling
Senior Research & Development Scientist
Email: r...@comodoca.com
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
