BRs: Clarify what "revocation" means on a technical level #252
Comments
sleevi
added
the
baseline-requirements
|
Just as a note here, one of the causes of confusion here is that the BRs do specify both a timeline for revocation and a timeline for publication (via OCSP or CRL) for Subordinate CA Certificates:
However, while the quote from section 4.9.1.2 has an analogue for subscriber certs...
...no such equivalents exist for the latter two quotes. In addition to providing a more rigorous definition of "revocation", it would be useful to unify the language regarding subscriber certs and the language regarding intermediate CA certs, such that a CA cannot read too much into the difference between them. |
|
Thinking on the CDN for CRL distribution aspect: I think that requiring a cache purge (which, depending on cache architecture) can be an expensive operation on a per-revocation basis would negate much of the utility of a CDN in the first place. It is expected behaviour that a CDN can produce inconsistent responses to a GET operation, unless that CDN has extremely aggressive ICP configuration. On the point at hand, I think that revocation, realistically, must mean that a verifiable signing operation traceable to the issuing CA must take place, complete with timestamps. Of course, a dishonest CA could backdate a revocation, but there are all sorts of failure modes which occur when facing backdating dishonesty. But flipping a bit in the database is the beginning of the revocation operation - signing of the decision is the point at which that revocation is externally verified, and should be counted as such as satisfying (or not!) the timeliness requirement of the revocation. |
This is not the final step of revocation. Revocation is publication at the CDN in a consistent view, an expectation that has been communicated in past incidents. I agree with you that signing is, at minimum, part of the act, but inconsistent CDN views are indistinguishable from not having published. Unless and until such information is globally visible, the CA has not revoked the certificate. If their CDN makes that difficult, then they need to look at other CDN approaches, such as those outlined for immediate cache invalidation. |
|
OK - so if the maximum cache time for a revocation relevant artifact (OCSP response, CRL) is set to X hours, then assuming that revocation initiation (meaning signing said artifact and publishing to origin) is done in (24 - X) hours, then revocation can be said to have been completed within 24 hours (per the requirements); would that be a way of satisfying the desire for a world-wide consistent view? I've not reviewed CDN service level agreements in a while; but having worked for a CDN, I can attest that guaranteeing the effect of global cache purge is not that bulletproof. Don't get me wrong: it's not the BR's job to protect the CAs from choosing ill suited technologies to perform their tasks. I'm just trying to figure out the best ways of handling the problem. I'm sympathetic to the view that says "revocation is done when the world can see that it's been done", but the reality of CDNs as a method of global distribution adds complexity to that picture. |
Yup!
Wholly agreed! I think there’s always room for further discussion when attached with specific technical details. For example, the bug I linked to was very useful in diving deeper into the service offerings of a variety of CDNs, and if/how they offer invalidation APIs and their limits. We certainly want to keep within the bounds of reasonable, but it does mean exploring the difference between “this is inconvenient” and “this is difficult” and “this is impossible”. The more we can unpack these technical details, the more we can align on clear and consistent expectations. |
Section 4.9.1.1 of the BRs requires:
However, Section 4.9.7 of the BRs states:
And Section 4.9.8 states:
This creates some ambiguity for CAs about what "SHALL revoke" entails. Is it the matter of merely setting a
is_revokedbit on the server, or is it the act of publishing new CRLs and OCSP responses to indicate this status? RFC 5280 takes the perspective that 'the repository' is the store of CRLs, and so naturally the expectation is that yes, "SHALL revoke" is the act of publishing new CRLs and OCSP responses and ensuring they're available (c.f. 4.10.2 of the BRs).However, a secondary question then follows: If a given certificate has both an OCSP AIA and a CRL Distribution Point, are those two systems allowed to be out of sync for any period of time after revocation has occurred? That is, once revoked, does a CA need to immediately generate both a new CRL and a new OCSP response, or can they generate one (e.g. OCSP) but not the other (e.g. CRL)? RFC 6960 notes that OCSP enables more timely obtaining of status information than CRLs, but is that a statement merely about local client caching behaviours, or is it an intrinsic property that the two systems are allowed to diverge?
We should clarify precisely what the expectation of revocation means, and how that flows into the requirements.
A suggested strawman for discussion:
The text was updated successfully, but these errors were encountered: