At the most recent CA/Browser Forum folks from DigiCert and I both made presentations on what’s needed to improve the current state of revocation in X.509.
There were really two different themes in these presentations:
- We can better use the technologies we have today.
- We can make “tweaks” to the technologies we have today to improve the situation.
It was not really possible to go into any details about these proposals given the time slots allocated were more presentation oriented and since the DigiCert guys had already engaged with Maximiliano Palla of NYU Polytechnic University (the founder of the OpenCA project) they agreed to work with him to arrange this workshop.
The session is April 16th (I leave tomorrow) and I am looking forward to the chance to talk about this topic, my goals for the session are we get to agreements on:
- Authoring a whitepaper on OCSP responder best practices.
- Authoring a whitepaper on revocation client best practices.
- Agreeing on an approach to “opt-in” hard revocation checking.
- Agreeing on a path forward to resolve the many outstanding Firefox revocation issues.
- Funding Nginx to add support for OCSP stapling this year.
There are lots of other potentially interesting topics I am sure will come up:
- Getting Apache’s OCSP stapling enabled by default.
- Short-lived certificates, their potential and challenges.
- Defining a new transport for OCSP via DNS.
- Defining a new query-less OCSP like protocol.
- CRLsets and their place in the browser ecosystem.
Should be an interesting day for sure.