On Fri, 19 Oct 2018 at 10:38, Rob Stradling <r...@comodoca.com> wrote:
> On 18/10/2018 22:55, Ben Laurie wrote: > > On Fri, 12 Oct 2018 at 19:01, Rob Stradling wrote: > > > > On 12/10/18 16:40, Ryan Sleevi via dev-security-policy wrote: > > > On Fri, Oct 12, 2018 at 8:33 AM Ben Laurie <b...@google.com > > <mailto:b...@google.com>> wrote: > > <snip> > > >> This is one of the reasons we also need revocation transparency. > > > > > > As tempting as the buzzword is, and as much as we love motherhood > > and apple > > > pie and must constantly think of the children, slapping > > transparency after > > > a word doesn't actually address the needs of the community or > > users, nor > > > does it resolve the challenging policy issues that arise. Just > > because > > > something is cryptographically verifiable does not mean it > actually > > > resolves real world problems, or does not introduce additional > ones. > > > > > > A simpler solution, for example, is to maintain an archive of > > CRLs signed > > > by the CA. Which would address the need without the distraction, > and > > > without having the technical equivalent of Fermat's Last Theorem > > being > > > invoked. Let's not let the perfect (and unspecified) be the enemy > > of the > > > good and reasonable. > > > > FWIW, we (Comodo CA) do maintain an archive of all the CRLs we've > ever > > signed. > > > > > > Put it in Trillian? :-) > > That had occurred to me. ;-) > > Would it be useful? > To be properly useful you would need to extend CRL protocols to include inclusion proofs, but its a step in the right direction. Is there a way to add ad-hoc stuff to CRLs? > > -- > Rob Stradling > Senior Research & Development Scientist > Email: r...@comodoca.com > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy