Revocation Confusion(nullpxl.com)
nullpxl.com
Revocation Confusion
https://nullpxl.com/post/revocation-confusion/
5 comments
> thankfully it's already available through Let's Encrypt, via the "shortlived" profile
Maybe if you're the developer of a major web server :), but the rest of us still have to wait for general availability [0] [1].
[0]: https://letsencrypt.org/docs/profiles/#shortlived
[1]: https://community.letsencrypt.org/t/shortlived-is-currently-...
Maybe if you're the developer of a major web server :), but the rest of us still have to wait for general availability [0] [1].
[0]: https://letsencrypt.org/docs/profiles/#shortlived
[1]: https://community.letsencrypt.org/t/shortlived-is-currently-...
I'm not seeing how there's no need to revoke. It means a compromised certificate is still considered valid for several days, in which a lot of damage can be done.
Propagating the revocation information often takes about as long.
One thing the article doesn’t mention is that a lot of certs are revoked for purely admin reasons. CeasedOperations seems to be the case for Flair - nothing bad happened to the key, but the cert was revoked nevertheless.
This seems to be a common practice for some CAs or companies, but it’s not required AFAICT; and it contributes to the gigantic CRLsets that we have - most of those revocations wouldn’t actually be needed from a security pov.
This seems to be a common practice for some CAs or companies, but it’s not required AFAICT; and it contributes to the gigantic CRLsets that we have - most of those revocations wouldn’t actually be needed from a security pov.
Short certificate lifetimes is the ultimate way forward, and thankfully it's already available through Let's Encrypt, via the "shortlived" profile.
With a certificate that lives < ~7 days, there's virtually no need to revoke. Some clients/browsers will still move to revoke certificates within minutes or hours of their own choosing (see, that's the other frustrating thing, revocation is really just whatever you want), but I hope we'll only see that on internal PKIs, since doing that for public sites is essentially censorship.