This is great news! Regarding the max lifetime threshold of short-lived certificates, we ran study [1] a while back that indicated the average OCSP validity time was 4 days (while 87.14% were equal to or less than 7 days). Thus, FWIW, we suggested a certificate lifetime of 4 days in our paper [2] advocating short-lived certificates for revocation.
[1] http://www.internetsociety.org/sites/default/files/12_4.pdf [2] http://www.w2spconf.com/2012/papers/w2sp12-final9.pdf Cheers, David On Thursday, July 31, 2014 7:07:32 PM UTC-7, Richard Barnes wrote: > Hi all, > > > > We in the Mozilla PKI team have been discussing ways to improve revocation > checking in our PKI stack, consolidating a bunch of ideas from earlier work > [1][2] and some maybe-new-ish ideas. I've just pressed "save" on a new wiki > page with our initial plan: > > > > https://wiki.mozilla.org/CA:RevocationPlan > > > > It would be really helpful if people could review and provide feedback on > this plan. > > > > There's one major open issue highlighted in the wiki page. We're planning to > adopt a centralized revocation list model for CA certificates, which we're > calling OneCRL. (Conceptually similar to Chrome's CRLsets.) In addition to > covering CA certifcates, we're also considering covering some end-entity (EE) > certificates with OneCRL too. But there are some drawbacks to this approach, > so it's not certain that we will include this in the final plan. Feedback on > this point would be especially valuable. > > > > Thanks a lot, > > --Richard > > > > [1] https://wiki.mozilla.org/CA:ImprovingRevocation > > [2] https://www.imperialviolet.org/2012/02/05/crlsets.html _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
