A short-lived certificate is equivalent to at long-lived certificate
with a stapled OCSP-response, if we assume they have equivalent
lifetimes and equivalent client behavior on expiry vs. revocation.
However a stapled OCSP-response is not fully equivalent to an actively
requested OCSP-response. A client may choose to not support stapling and
always actively request an OCSP-response, if it believes this to be more
secure. By allowing a short-lived certificate to not include an
OCSP-url, CABForum would drop support for such hypothetical client
opinion. That may be OK, but we need to acknowledge it. Should we also
allow the OCSP-url to be omitted from a certificate, if it has must-staple?
Short-lived certificates still have an advantage, even with an embedded
OCSP-url. Clients that support them would not perform OCSP-requests for
short-lived certificates, and compared to stapling, you still save the
entire stapled OCSP-response from the handshake. If both Firefox and
Chrome supports it, you will quickly get to a point where a site would
get the speed advantage for over half its users.
We should consider to treat an expired short-lived certificate the same
as a revoked certificate in browser UI. I believe the reason for
click-through certificate error UI is backwards compatibility. If
browsers never had click-through, the number of false positives would be
far less. Short-lived certificates are rare or non-existent today. If we
can get enough browsers to prevent click-trough for these certificates
before they become widespread, I think it would work. But if only
Firefox prevents click-through, server-operators would just drive users
to other browsers, so this would need to be a coordinated effort.
Before short-lived certificates can become practically usable, servers
need to automatically fetch certificates from CAs. Since browser makers
seem to show the most interest in fixing revocation, browser makers need
to facilitate development and/or adoption of protocols that support
this. Otherwise I fear that nobody else will.
Den 04-09-2014 kl. 12:21 skrev Gervase Markham:
> Short-lived certs are one plank of our future revocation strategy.[0]
> Currently, it is not permitted by the CAB Forum Baseline Requirements to
> revocation pointers out of a cert, ever. However, this is part of the
> big value of short-lived certs, as it's what unlocks their
> speed-increasing potential across all browsers. (The logic is that a
> 3-day expiry misissued cert with no revocation pointers has a similar
> risk profile to a 1-year expiry misissued cert where the attacker has
> captured a valid 3-day expiry OCSP response they can staple to it).
>
> I've just been reviewing discussions from July 2012 on the CAB Forum
> mailing lists about short-lived certs. There was some significant
> opposition to removing revocation information from short-lived certs at
> the time (although things may be different now, I don't know). I
> personally think much of that opposition was mistaken, but the
> discussion nevertheless did not result in consensus.
>
> How should we approach the issue of short-lived certs? It seems to me we
> can do the following:
>
> 0) Try and get a motion passed to change the BRs to allow short-lived
> certs to not have any revocation information. This would probably
> require us to review the original discussion and make a wiki page
> outlining our proposal and rebutting objections. We may still run into
> heavy weather. We could also discuss it at the face-to-face.
>
> 1) Write an exception in Mozilla's policy that short-lived certs don't
> have to have revocation info. This would likely have no effect, because
> CAs would want to continue issuing to the BRs.
>
> 2) Stop checking revocation information for short-lived certs
> unilaterally. This would result in reduced take-up of the idea, because
> there would be no advantage in other browsers, and one would still need
> to implement all the mechanisms, both at the CA and at the site, for
> frequent cert renewals and deployments.
>
> 3) Configure Firefox to not bother checking revocation information for
> any cert newer than N days. This way, you can "emulate" short-lived
> certs by just reissuing an X-year cert every N days or less. It also
> 'fixes' the clock-skew problem in one direction, because the certs will
> still work for users whose clocks are some way in the future (although
> their browsers would check revocation).
>
> 4) Something else?
>
> Gerv
>
> [0]
https://wiki.mozilla.org/CA:RevocationPlan
>