Re: [lamps] Draft LAMPS Recharter

Russ Housley <> Wed, 02 May 2018 21:13 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5962612DA19 for <>; Wed, 2 May 2018 14:13:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id S1_fVkph0tof for <>; Wed, 2 May 2018 14:13:20 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 993A5120721 for <>; Wed, 2 May 2018 14:13:20 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 88B08300558 for <>; Wed, 2 May 2018 17:13:18 -0400 (EDT)
X-Virus-Scanned: amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10026) with ESMTP id 6xlGecHkXxoC for <>; Wed, 2 May 2018 17:13:17 -0400 (EDT)
Received: from a860b60074bd.home ( []) by (Postfix) with ESMTPSA id 0F9543004FE; Wed, 2 May 2018 17:13:17 -0400 (EDT)
From: Russ Housley <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_55156075-BB6A-4B4F-B017-6B2C45F6D47B"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Wed, 02 May 2018 17:13:17 -0400
In-Reply-To: <>
Cc: LAMPS <>
To: Ryan Sleevi <>
References: <> <> <>
X-Mailer: Apple Mail (2.3273)
Archived-At: <>
Subject: Re: [lamps] Draft LAMPS Recharter
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 02 May 2018 21:13:22 -0000

> On May 2, 2018, at 5:06 PM, Ryan Sleevi <> wrote:
> On Wed, May 2, 2018 at 10:41 AM, Russ Housley < <>> wrote:
> Based on the discussion in London and the "Potential Topics for LAMPS Recharter" mail thread.  We propose the attached charter text.  Please review and comment.
> Russ & Tim
> = = = = = = = = =
> 3. Specify the use of short-lived X.509 certificates for which no
> revocation information is made available by the Certification Authority.
> Short-lived certificates have a lifespan that is shorter than the time
> needed to detect, report, and distribute revocation information, as a
> result revoking them pointless.
> I didn't see much discussion on the list in support for this, but apologies, I missed the discussion in SECDISPATCH when this draft was discussed.
> Is this being envisioned for the use in the PKI typically called the "Web PKI", or is this being seen as a draft for private use cases? I have read the draft, and do not feel this was clearly and unambiguously answered.
> I ask because, for various policy reasons, I would expect that undertaking this work may result in policies that explicitly prohibit it from being deployed on the Web PKI.
> As a practical matter, the draft acknowledges an alternative design (namely, OCSP stapling), but its two objections to this work do not hold. As a consequence, I have concerns about the motivations for and the alternatives considered, and thus don't think LAMPS needs to consider such work in scope at this time.

I was in the room for the SECDISPATCH discussion.  I'll share my view at the end of that discussion.  Many people were interested in short-lived certificates, and not just for the Web PKI.  Some people understood that the Web PKI might not be able to use short-lived certificates right away, but if this work isn't done, then the Web PKI will not ever be able to use them.  So, other PKI environments might be able to make immediate use of short-lived certificates, and the Web PKI might also make use of them someday.