

Short-lived certs - tosh
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/T11up58JkFc

======
jrochkind1
Can someone turn this into English? I think it's missing a verb?

> Currently, it is not permitted by the CAB Forum Baseline Requirements to
> revocation pointers out of a cert, ever.

~~~
phlo
> I think it's missing a verb?

Gervase may have meant to write "Currently, it is not permitted by the CAB
Forum Baseline Requirements to [remove] revocation pointers out of a cert,
ever."

For more details, see Appendix B (2) b of the CAB Forum's Baseline
Requirements [0]. Per the document, a CRL distribution point MUST always be
provided.

Currently, certificate revocation is ineffective, prone to failure and a
potential privacy risk. Adam Langley has described the issues comprehensibly
and at length in a series [1, 2, 3] of insightful posts on ImperialViolet.

[0] [https://cabforum.org/wp-
content/uploads/Baseline_Requirement...](https://cabforum.org/wp-
content/uploads/Baseline_Requirements_V1_1_9.pdf)

[1]
[https://www.imperialviolet.org/2011/03/18/revocation.html](https://www.imperialviolet.org/2011/03/18/revocation.html)

[2]
[https://www.imperialviolet.org/2014/04/19/revchecking.html](https://www.imperialviolet.org/2014/04/19/revchecking.html)

[3]
[https://www.imperialviolet.org/2014/04/29/revocationagain.ht...](https://www.imperialviolet.org/2014/04/29/revocationagain.html)

