Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan

Ben Laurie <benl@google.com> Mon, 10 February 2014 11:35 UTC

Return-Path: <benl@google.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 316A91A086A for <therightkey@ietfa.amsl.com>; Mon, 10 Feb 2014 03:35:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.927
X-Spam-Level:
X-Spam-Status: No, score=-1.927 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KWxfbzd80xs6 for <therightkey@ietfa.amsl.com>; Mon, 10 Feb 2014 03:35:42 -0800 (PST)
Received: from mail-vc0-x22f.google.com (mail-vc0-x22f.google.com [IPv6:2607:f8b0:400c:c03::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 70CCA1A080B for <therightkey@ietf.org>; Mon, 10 Feb 2014 03:35:42 -0800 (PST)
Received: by mail-vc0-f175.google.com with SMTP id ij19so4676566vcb.34 for <therightkey@ietf.org>; Mon, 10 Feb 2014 03:35:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=gpnpDEng+YUPpRVVBUzVB2G+4v1Tw+cFdGSFtza6UMo=; b=SXe4Hlc9KzYiBFMTWqr3ewfppiTEXQwyR2bLFyTCUsgt7YPVwrtaiVaX5H41HrrCU6 c+zgj/Pkh+OW4bwLsN4LSODPE4AxYM6vaZKNvF79/LWsYaosbPvzIg0dJMmB6IE1bAR5 bTJXi0FoK+s2u2j3YSqK8ZoQQ9+1mmfnKCqClI2sibybhllWfWUdRoXPJelRZewaKVkZ 2hyVqWghJh4Gl5rOoqyPW2Hy8ZaOTkw1qtqwY/f9n/rEUke/eVF6AvWipPT7bKD3sC6Z cBYwKLhl6MrafaV/8LySMJAb9MB3JLssDH+ERA+ATiHSWyTznzHVUuuFofL1si6Vcbhn tC2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=gpnpDEng+YUPpRVVBUzVB2G+4v1Tw+cFdGSFtza6UMo=; b=mxzmNknOByIJIW1lg/ZibO3ispBv1nZbRaATh38lzeWaNCN5aTOe5JFeD3jsL/fmhY 19dsswNyHqwY9b1mMD0mPctFYE4j614lgonUG9sQhEUqimc05nczjZs/61u1iVw8+6oH TwIadd25inFP3pDAX5MGJM8qj2grjv+NXHPtPtW8eydmfV6CfZF7GyMFZLQ+UNFaVTuI tBQtkCDtlMfopliEopmNE1ScfbX/vzhBxrAoQaxTSSlDBbgvpg2+xjdsW/30UesKYm2G 8PrPam+8aSqJ8Jf1wjkwSuZhPcYtD87tOBu7Hlas9ieuV0/t+l0at6ch9oqiYlMqVaHR W78Q==
X-Gm-Message-State: ALoCoQlHtAoCClTFpIATowTZ8qI2fzO/o2QfgQXOcMiEJqFxLhbHGhpYnr/4tU4ht3X5+8wnrRmOfGqs1sTo0xf+NVwMWQFr5c4hrtEfZVQmb/2LoTft+jW4zB9PnDzW1ttdx9/L833U1Zzy2PQlr1XvXMzAV11BQcm/Dg8ZTq8VBGKSk9XiwsL+kIVrC3TWUwKHw1130Bcv
MIME-Version: 1.0
X-Received: by 10.58.69.111 with SMTP id d15mr23365240veu.3.1392032141688; Mon, 10 Feb 2014 03:35:41 -0800 (PST)
Received: by 10.52.230.105 with HTTP; Mon, 10 Feb 2014 03:35:41 -0800 (PST)
In-Reply-To: <52F8A650.6060209@comodo.com>
References: <CABrd9STwBDxwB1vtmS9Ozb5e_7D=zfOqkOBeAaT2HG7X-cw5gw@mail.gmail.com> <52F25835.60702@comodo.com> <CAL9PXLzCqvBGW=Du9ZAdMXiVgcO8WJHXf+wG7EuzE2246TFEmg@mail.gmail.com> <52F27445.6040701@comodo.com> <CAL9PXLzfatu_2LNCrCAKZWYLJArXE7+PDXswGD5fYK0byg-iJQ@mail.gmail.com> <52F2811A.9030800@comodo.com> <CABrd9SSxLCMOFv7GszzDf-xbZMYUTP6N3WSbK=8NOM=nCBy=Bg@mail.gmail.com> <52F8A650.6060209@comodo.com>
Date: Mon, 10 Feb 2014 11:35:41 +0000
Message-ID: <CABrd9SSOijFe+B_zXoXKzVz67JPgFsj5g6+urBZ=R9QvYhWETA@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: "certificate-transparency@googlegroups.com" <certificate-transparency@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"
Cc: "therightkey@ietf.org" <therightkey@ietf.org>, CABFPub <public@cabforum.org>
Subject: Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Feb 2014 11:35:45 -0000

On 10 February 2014 10:13, Rob Stradling <rob.stradling@comodo.com> wrote:
> On 08/02/14 13:32, Ben Laurie wrote:
>>
>> On 5 February 2014 18:21, Rob Stradling <rob.stradling@comodo.com> wrote:
>>>
>>> On 05/02/14 17:49, Adam Langley wrote:
>>>>
>>>>
>>>> On Wed, Feb 5, 2014 at 12:26 PM, Rob Stradling
>>>> <rob.stradling@comodo.com>
>>>> wrote:
>>>>>
>>>>>
>>>>> Presumably it's somewhere between 10 and 31 days, since 1 SCT is
>>>>> acceptable
>>>>> for Stapled OCSP and the BRs permit OCSP Responses to be valid for up
>>>>> to
>>>>> 10
>>>>> days.
>>>>
>>>>
>>>>
>>>> The speed at which we need to distrust a log depends on the minimum
>>>> number of SCTs actually, which is why allowing a single SCT in stapled
>>>> OCSP responses is such a large concession. If the minimum number of
>>>> SCTs were two then the pressure to distrust a log (and the pressure on
>>>> the logs) would be dramatically reduced because compromising one log
>>>> wouldn't be sufficient.
>>>>
>>>>> Do you still think [1] is a good plan?
>>>>
>>>>
>>>>
>>>> Sure, if any CAs are willing to do it now :)
>>>
>>>
>>>
>>> I think "servers could just download their refreshed certificate over
>>> HTTP
>>> periodically and automatically" is the showstopper at the moment. Yes
>>> they
>>> could, but I'm not aware of any server that actually implements such a
>>> feature.
>>
>>
>> Work is under way for Apache: https://github.com/trawick/ct-httpd/.
>
>
> That looks like great work, but AFAICT it's only for fetching SCTs from CT
> Logs.
>
> I was talking about the lack of any mechanism in popular webserver software
> for automatically fetching and installing certificates from CAs.  In
> particular: a short-duration certificate that reuses the same public key as
> the previous certificate.

Ah, I see! But why would you need it if you can refresh the SCTs yourself?