On Thu, Mar 04, 2021 at 09:19:32AM -0800, Michael Thomas wrote: > On 3/4/21 9:15 AM, Nico Williams wrote: > > On Thu, Mar 04, 2021 at 09:07:51AM -0800, Michael Thomas wrote: > > > On 3/4/21 7:54 AM, Nico Williams wrote: > > > > You can dispense with CRLs/OCSP if you use sufficiently short-lived > > > > certificates. > > > > > > > > That requires an online CA to certify those short-lived certificates, > > > > but it's online infrastructure that is required only once or twice per > > > > rotation period for any one end entity. > > > "requires an online" being the key phrase. If you require online, you can > > > reduce the revocation linger time to zero, and you don't need to onerous > > > infrastructure of X.509 at all. Naked public keys are our friends. > > The "... that is required only once or twice per rotation period for any > > one end entity" part is an essential modifier to "requires an online". > > You can't focus on the "requires an online" without addressing the other > > part. > > Your online requirements cherry picks that the online requirements will > neatly line up in times of need and ignores other online requirements. > Authentication is one small part of a larger system. That larger system > almost always needs to be online 24/7. X.509 is a relic from the past. I've explained about online requirements on every transaction vs. once in a while. It's not cherry-picking. It's trade-offs. I've tried explaining, and you can disagree with good technical arguments about cases where there's better trade-offs or whatever, but instead you've just been unnecessarily rude. Have a nice day.
