1. 5

  2. 1

    I think that neither CRL nor (plain) OCSP are really workable solutions, but I also agree with the article that not all revocations are equal. There’s a huge difference between a certificate being revoked because a company changes owners or goes out of business and a certificate being revoked because it has been compromised and is being abused to actively MITM sites.

    Of these huge numbers of revocations quoted, I would assume that the majority of them are in the “not so important” camp and a very small minority is in the “oh shit” camp. As such, yes, if browsers actively and immediately react to revocations from the “oh shit” camp while not bothering as much for the rest, I don’t see that’s such a huge problem as grc makes it out to be.

    OTOH, we do have a solution that works equally well for the administrative and the “oh shit” cases and doesn’t have scaling or privacy issues: By using OCSP stapling and the OCSP Stapling Required X.509 extension, we have a reliable method for detecting revoked certificates within a reasonably short time frame (though I would still want my browsers to keep that “oh shit” list around for emergencies that require immediate attention). Now it’s just a matter of time for OSes, browsers and web servers to support OCSP stapling and in a few years this will become a comparably non-issue.

    Still. It’s good that this is being talked about at the moment as revocation in general was largely an issue that was at best half-assedly solved.