Re: [therightkey] LC comments on draft-laurie-pki-sunlight-05

Paul Hoffman <> Sat, 16 February 2013 18:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1355421F87CE; Sat, 16 Feb 2013 10:54:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.588
X-Spam-Status: No, score=-102.588 tagged_above=-999 required=5 tests=[AWL=0.011, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cYWmPBo5wDGK; Sat, 16 Feb 2013 10:54:37 -0800 (PST)
Received: from (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by (Postfix) with ESMTP id 0F1DE21F86AF; Sat, 16 Feb 2013 10:54:37 -0800 (PST)
Received: from [] ( []) (authenticated bits=0) by (8.14.5/8.14.5) with ESMTP id r1GIsW2B020451 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Sat, 16 Feb 2013 11:54:33 -0700 (MST) (envelope-from
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
Subject: Re: [therightkey] LC comments on draft-laurie-pki-sunlight-05
From: Paul Hoffman <>
In-Reply-To: <>
Date: Sat, 16 Feb 2013 10:54:32 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <>
To: Phillip Hallam-Baker <>
X-Mailer: Apple Mail (2.1499)
Cc:, IETF Discussion List <>
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 16 Feb 2013 18:54:39 -0000

On Feb 16, 2013, at 10:22 AM, Phillip Hallam-Baker <> wrote:

> Looking at the CT proposal, it seems to me that we could fix the business model issue and remove a lot of the CA operational issues as follows:
> 1) Each browser provider that is interested in enforcing a CT requirement stands up a meta-notary server.
> 2) Each CA runs their own notary server and this is the only resource that needs to have a check in at certificate issue.
> 3) Each CA notary server checkpoints to one or more meta-notary servers every 60 minutes. As part of the check in process it uploads the whole information for all the certificates issued in that time interval.
> 4) Meta-Notaries deliver tokens that assert that the CA notaries are current every 60 minutes. Note here that 'current' is according to the criteria set by the meta notary. This is an intentional piece of 'slop' in the system. 
> 5) The OCSP tokens delivered by the CA contain the information necessary to checkpoint the certificate to the Meta-Notaries.
> 6) A browser enforcing CT disclosure pulls a list of anchor points from its chosen meta-notary every 60 minutes and uses them to validate the CT assertions delivered in certs.

Are you saying that those six items should be added to the experimental RFC as requirements, or are you just discussing what might happen operationally after the RFC is published? 

--Paul Hoffman