Revisiting CRL in light of CRLite

Although in the past Let’s Encrypt have indicated they have no plans, due to high cost and low pay-off, to implement CRL for leaf certificates, I wonder if the introduction of CRLite does anything to rock the boat?

Some interesting blog posts about it that are worth reading:

• https://blog.mozilla.org/security/2020/01/09/crlite-part-1-all-web-pki-revocations-compressed/
• https://blog.mozilla.org/security/2020/01/09/crlite-part-2-end-to-end-design/

I think the tl;dr; is that it regularly processes CRLs of all trusted CAs into an extremely efficient data structure which gets sent to browsers, and then the browsers can query it offline. Solves the latency, reliability and privacy problems with CRLs and OCSP. Currently implemented in Firefox Nightly.

It seems like it could provide an answer to the revocation checking problem, but perhaps not so much if the largest CA isn’t participating.

cc @roland who has spent some time thinking about this.

Hey, sorry for the lag on getting back to you on this.

We’ve been in contact with those at Mozilla behind this initiative and are interested in possibly participating down the road. That said the development work to enable this is not insubstantial on our side and is currently not one of our highest priorities, so we have no concrete plans on when this might happen.

(Given these are Boulder implementation specific they are probably not of much interest to anyone, but I realized I never published my CRL sharding notes that are related to this, so I stuck them on the Boulder GitHub wiki if anyone wants to peruse them https://github.com/letsencrypt/boulder/wiki/CRL-sharding-notes)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.