On 3/4/21 9:15 AM, Nico Williams wrote:
On Thu, Mar 04, 2021 at 09:07:51AM -0800, Michael Thomas wrote:
On 3/4/21 7:54 AM, Nico Williams wrote:
You can dispense with CRLs/OCSP if you use sufficiently short-lived
certificates.
That requires an online CA to certify those short-lived certificates,
but it's online infrastructure that is required only once or twice per
rotation period for any one end entity.
"requires an online" being the key phrase. If you require online, you can
reduce the revocation linger time to zero, and you don't need to onerous
infrastructure of X.509 at all. Naked public keys are our friends.
The "... that is required only once or twice per rotation period for any
one end entity" part is an essential modifier to "requires an online".
You can't focus on the "requires an online" without addressing the other
part.
Your online requirements cherry picks that the online requirements will
neatly line up in times of need and ignores other online requirements.
Authentication is one small part of a larger system. That larger system
almost always needs to be online 24/7. X.509 is a relic from the past.
Mike
