Re: [therightkey] [cabfpub] Thoughts on reducing SCT sizes (was Re: Updated Certificate Transparency + Extended Validation plan)

Ben Laurie <benl@google.com> Tue, 18 February 2014 18:28 UTC

Return-Path: <benl@google.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 687281A0408 for <therightkey@ietfa.amsl.com>; Tue, 18 Feb 2014 10:28:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.927
X-Spam-Level:
X-Spam-Status: No, score=-1.927 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ow4pEmTeFKOW for <therightkey@ietfa.amsl.com>; Tue, 18 Feb 2014 10:28:01 -0800 (PST)
Received: from mail-ve0-x22c.google.com (mail-ve0-x22c.google.com [IPv6:2607:f8b0:400c:c01::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 0BB5D1A03ED for <therightkey@ietf.org>; Tue, 18 Feb 2014 10:28:00 -0800 (PST)
Received: by mail-ve0-f172.google.com with SMTP id c14so14049880vea.3 for <therightkey@ietf.org>; Tue, 18 Feb 2014 10:27:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=aRdAYj2kk41miUz/El1JNLfCpK9RzE8tg9i0toR69B0=; b=NvSpCkiOYtE8dJ79zCSiXjQJtiwHE1kUyuVWWx84qPIX4GmqJNRRVfG2guJmGpVoFi OMMHBlt96NTxC9fyGdTKk6mzv28FASCzGv9d7mlNOZzpQ1U9CS/QMvUWevK9eznD0Fwv 5SsZ9eyjB9vig/dWltGIh/v7n4TpVTY/CsfZO3NF8Grl1JRaUpxc0pFh6OlaTbik6xHf 7f1VdXeHw7ZSlbi+hPYMCg8wHGYg9uUGMwULZzbLFobZy5EIpief3LxKX5nVtF6IEyKD 0N0GHoYUKLJo7PxqlyQaorOvy1wJ2lKh7su946hhE/HwbnIosYo+0ukHR/4Hzm/ut9lb ujLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=aRdAYj2kk41miUz/El1JNLfCpK9RzE8tg9i0toR69B0=; b=eOUqA+qcghcoAMJ8iYNCECWj03pyt6+0OsYE9jpHC/hHvfrxTpnXpbqHir+xC7XwrV 75veWgvtNsa3P0bZ+ZwEyANln5ZKIbfSD1y1iuUB5KBDoJrcROrIS6ei3jBYs57dC6zv xLOiGTxOB4BzEkw9mv1l6H1D4rZnpLhnEDiWC0vDp9Z1Bi0QtFSbSbXMnUXlQJ6gc7lI BWVsAiQFqhnOmwmyHeZupOdfTHFBUKsOAbGgiCo3og8c9lNN8ykwcXtZRGrEXN70PcKS +SMYWKpCM5pxwCdqb7UeT6c+IKeX3pILHJSsR49PqmXSTDByjOs88X4CmWGcJSEYSiIR e78g==
X-Gm-Message-State: ALoCoQkcHnGsgQidjtoIS1kGfsZR7hinMaeaTg0w3IReUgy1XAn1q/oxRzY5UuGQUytMnXqDai5zMyxfu8piej7pGi/cU8PdASANwGcn9HG27WyAOqG3ttbs3hrGiJlb8jyhx4CC+KeTb04OAMWSlLMxuNNJXcG55WnyD7Msc5JKvq1hhLweb7MH4WGU9u/T22THbSOHoYkG
MIME-Version: 1.0
X-Received: by 10.221.27.194 with SMTP id rr2mr110703vcb.60.1392748077589; Tue, 18 Feb 2014 10:27:57 -0800 (PST)
Received: by 10.52.230.105 with HTTP; Tue, 18 Feb 2014 10:27:57 -0800 (PST)
In-Reply-To: <5303935D.4060206@fifthhorseman.net>
References: <CABrd9STwBDxwB1vtmS9Ozb5e_7D=zfOqkOBeAaT2HG7X-cw5gw@mail.gmail.com> <04a001cf21cf$3a649190$af2db4b0$@digicert.com> <CAL9PXLyWFSfHz_230SkWLvr7sUROPv_k0rfKgmkMRRttk-EjGQ@mail.gmail.com> <52F2305C.5040107@comodo.com> <0b3f01cf228d$fef92e30$fceb8a90$@digicert.com> <CABrd9SR3+ByEMeXRpbMiwUatqNcoyjv=vHxgr1tdfE8p=oWH-g@mail.gmail.com> <E1BBA898-CC1E-47B5-878D-299099E71F25@entrust.com> <CABrd9SRDRzb+ZruoKbn4K5bE8bQY4k8=vi9yvj2HHtcJ97SHBQ@mail.gmail.com> <5303935D.4060206@fifthhorseman.net>
Date: Tue, 18 Feb 2014 18:27:57 +0000
Message-ID: <CABrd9ST1sFEdVuEq=2rREzuKKMqc0KD1cJX9YpwSyyLPBmcSFg@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: "certificate-transparency@googlegroups.com" <certificate-transparency@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/therightkey/-Nm3W9cx1aBah6Pt92X49et01CU
Cc: "therightkey@ietf.org" <therightkey@ietf.org>, CABFPub <public@cabforum.org>
Subject: Re: [therightkey] [cabfpub] Thoughts on reducing SCT sizes (was Re: Updated Certificate Transparency + Extended Validation plan)
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Feb 2014 18:28:02 -0000

On 18 February 2014 17:07, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
> On 02/18/2014 11:58 AM, Ben Laurie wrote:
>> On 18 February 2014 15:37, Tim Moses <tim.moses@entrust.com> wrote:
>>> Ben - Will Chrome deny EV  status to a certificate with too few SCTs, or will it grant EV status as long as at least one of its SCTs is from a log that remains in the program?
>>
>> It will deny.
>
> Doesn't this reintroduce the perverse incentive to avoid killing a
> known-misbehaving log?
>
> one of the nice things about requiring corroborative SCTs on new certs
> is that we can kill any log that is misbehaving without any pushback
> from certificate-holders concerned that their site will "go dark" (or
> "lose the fancy green label", in this EV case).
>
> If we make it so that the EV label goes away when either of the
> corroborators dies, then certificate holders have incentive to support a
> failed log, even though this goes against the best interests of their users.

That's not the rule. The rule is you need one SCT from a live log, and
N SCTs from logs that were valid at the time of issue.