Policy-Discussion

[Michael Tänzer <michael.taenzer AT cacert.org>]

Hi Ian,

On 16.11.2011 23:00, Ian G wrote:
> crlDistributionPoints=URI:<crlUri>
> 
> following on from discussions in NewRootsTaskForce we have surmised
> whether to get rid of CRLs in the future, as OCSP gives us a much
> better mechansim to deal with disaster recovery.
> 
> But this would also involve dropping CRLs.  And not putting the URI
> in the certs.

We can still drop them and stop putting URLs in the certs once we really
want to get rid of CRLs.


> Whether this is a good thing or a bad thing I'm unsure, but I note
> that Baseline Requirements (Draft 50, which has just come out 2 hours
> ago) goes some way in this direction.
> 
> http://www.gerv.net/temp/Baseline_Requirements_Draft_50.pdf section
> 13.2.2.  OCSP is like SHALL, and CRLs are like an IF.  Although the
> text is typically unclear....

So this is basically something CAs and major browser vendors agreed upon.
a) It looks like yet another standard no one ever needed to replace the
huge load of standards we already have but really just adding another
one https://www.xkcd.com/927/
b) It's not even a standard yet. And even once it is formally accepted a
real standard is one which is widely adopted not something some
committee agreed upon (even if there are representatives of major
companies that doesn't mean they will all stick to the standard
immediately and some might even never conform to it)
c) There is a huge load of software that needs to handle certificates
and is not a browser. Just look at the other end of the connection for
example. AFAIK the openssl module for Apache only allows to specify CRLs
it will not do OCSP lookups. That might even be impossible because the
server is configured in a way that doesn't allow outgoing connections. A
cron job might update that CRL regularly. CRLs have been around for like
forever while OCSP is a relatively new thing. If we are discussing about
allowing small key sizes we definitely should keep CRLs for the sake of
backwards compatibility.

So while dropping CRLs might be possible in the future I would
definitely keep them for now.


Cheers,
-- 
Michael Tänzer
CAcert Support Team Leader

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature