Hi, I recently observed something about certificate revocation that is, in retrospect, quite obvious, but I'm not sure if people in the WebPKI community are widely aware of it.
As most on this list probably know, most browsers have moved away from using revocation checks via OCSP and use aggregated CRL lists like Mozilla's CRLite. This may be stating the totally obvious, but: this only works for certificates with CRLs. We are currently seeing a mixture of practices. Some CAs have only CRLs, some have only OCSP, and some have both. If a certificate without a CRL is revoked, it is quite possible that a cert gets revoked, yet is still in use,and most users will not notice it. CAs that currently do not have CRLs referenced in their certs may want to consider that. Browsers may want to consider better documenting this limitation. (E.g., there's a FAQ for CRLite, and I think you can read it between the lines, but adding an explicit "What about certificates without a CRL?" may be a good idea: https://github.com/mozilla/crlite/wiki ) One could also consider having a requirement for CRLs in certificates by browser root stores. (I don't have a strong opinion on whether that's a good idea.) -- Hanno Böck - Independent security researcher https://itsec.hboeck.de/ https://badkeys.info/ -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20250620101221.0b8fc555%40hboeck.de.
