Comment by crote
7 hours ago
> Revocation is an emergency measure, not a routine one. That's ok.
Rather the opposite: revocation is the one time it actually matters, so your infrastructure shouldn't come to a grinding halt when it happens!
Let's say a party like LetsEncrypt needs to do a mass revocation of all certificates. Unlikely, but it has happened before. This is going to instantly blow up the CRL from perhaps a few thousand to 700 million entries. Force every browser to download that regularly and you've essentially accidentally created a DDoS on LetsEncrypt's CRL service.
And how do you want the browser to respond? Fail-closed and you've just created a method to take 80% of the internet offline by DDoSing a single service, fail-open and you've just created a method for an attacker to bypass certificate revocation entirely.
With critical infrastructure like this you can't get away with only thinking about the happy path. It should always work - even in emergencies.
> fail-open and you've just created a method for an attacker to bypass certificate revocation entirely
I generally agree about the rest but isn't what you suggest there sufficiently disproportionate to fall well outside the threat model? It buys only a limited window of opportunity in a very specific scenario while painting a neon target on your back. I feel like it's vaguely akin to worrying about a military checkpoint failing open when hit with a 30k lb bomb.