fix: Update revocation spec

[priteshbandi]

Some updates to revocation specs. Also, removed remotes/upstream/main/ADA-fuzzing-audit-22-23.pdf file.

This PR only updates revocation specs and doesn't addresses renaming issue. Renaming is covered by @yizha1 in separate PR #262

References:

1. https://bugzilla.mozilla.org/show_bug.cgi?id=745747
2. https://www.ibm.com/docs/en/ibm-mq/8.0?topic=certificates-revoked-ocsp
3. https://groups.google.com/g/mozilla.dev.security.policy/c/CLg_MOZoG-M
4. https://docs.oracle.com/middleware/12213/wls/SECMG/ssl_cert_revoc_check.htm#SECMG579
5. https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/pic_admin_guide/PIC_admin26/PIC_admin26_chapter_0101.html
6. https://www.sysadmins.lv/retired-msft-blogs/xdot509/pki-design-considerations-certificate-revocation-and-crl-publishing-strategies.aspx
7. https://www.securew2.com/blog/certificate-revocation-crl-explained
8. https://blog.cloudflare.com/high-reliability-ocsp-stapling/
9. https://uptime.netcraft.com/perf/reports/performance/CRL?reverse=1&orderby=avg_total
10. https://uptime.netcraft.com/perf/reports/performance/OCSP?reverse=1&orderby=avg_total

[yizha1]

Suggest removing Notary v2 references in this document.

[shizhMSFT]

LGTM

[toddysm]

I will need to go over the spec in more detail but one question that immediately pops up is how this revocation will work in air-gapped environments where the OCSP and CDP may not be accessible.

[vaninrao10]

LGTM

[priteshbandi]

I will need to go over the spec in more detail but one question that immediately pops up is how this revocation will work in air-gapped environments where the OCSP and CDP may not be accessible.

Not inherently but user can use plugin verification extensibility.

[yizha1]

@toddysm Maybe we can discuss further on air-gapped environment requirement. My understanding is that in the air-gapped environment, there could still be PKI infrastructure established, right?

[yizha1]

@priteshbandi have you considered this https://en.wikipedia.org/wiki/OCSP_stapling

[priteshbandi]

@priteshbandi have you considered this https://en.wikipedia.org/wiki/OCSP_stapling

Yes but its not directly applicable to our usecase because stapling is done by content provider in our case it would be registry.

[yizha1]

@priteshbandi overall is good, could elaborate a bit about the last comment, how user can use plugin verification extensibility?

I will need to go over the spec in more detail but one question that immediately pops up is how this revocation will work in air-gapped environments where the OCSP and CDP may not be accessible.

Not inherently but user can use plugin verification extensibility.

[shizhMSFT]

LGTM

[gokarnm]

LGTM!

[gokarnm]

LGTM!

[shizhMSFT]

LGTM except the term Notary V2.

[yizha1]

@priteshbandi @shizhMSFT @gokarnm I had another PR covering the naming issue, do you agree that we only fix the revocation related issue in this PR? If yes, maybe @priteshbandi you can update the PR description or add a comment to make it clear about the scope of this PR and point to the PR for naming changes.

[priteshbandi]

@priteshbandi @shizhMSFT @gokarnm I had another PR covering the naming issue, do you agree that we only fix the revocation related issue in this PR? If yes, maybe @priteshbandi you can update the PR description or add a comment to make it clear about the scope of this PR and point to the PR for naming changes.

Updated PR description to reflect that, this PR address only revocation spec changes and renaming is done is separate PR.

[shizhMSFT]

LGTM

[toddysm]

I am OK with the changes in this PR but we need to have another one with the proper terminology.