IETF Logo Mail Archive

Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan

Ryan Sleevi <sleevi@google.com> Tue, 04 February 2014 18:08 UTC

Return-Path: <sleevi@google.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 140AE1A0135 for <therightkey@ietfa.amsl.com>; Tue, 4 Feb 2014 10:08:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.913
X-Spam-Level:
X-Spam-Status: No, score=-1.913 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zQAUpFzimoAV for <therightkey@ietfa.amsl.com>; Tue, 4 Feb 2014 10:08:26 -0800 (PST)
Received: from mail-qa0-x22a.google.com (mail-qa0-x22a.google.com [IPv6:2607:f8b0:400d:c00::22a]) by ietfa.amsl.com (Postfix) with ESMTP id 696171A0126 for <therightkey@ietf.org>; Tue, 4 Feb 2014 10:08:26 -0800 (PST)
Received: by mail-qa0-f42.google.com with SMTP id k4so13094396qaq.29 for <therightkey@ietf.org>; Tue, 04 Feb 2014 10:08:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=PdO1511Rp0WoaUi8iE84eTe2yDibBgIl+mjEIlFBYCA=; b=I5KYiiufve3EG7zJ1b/ArfNV+xk+azT3ePEM3RNT8u6DvsWXs1ziGikPJIH5y5qIPS nrNWh/UAmI0B7GfWvElkHXPNVxVhr4o8h4iyPQpE2gxqbWeSRfpV3OcZcKt6GxoUfdNT dNKMs53pyptLqOTHzzFWTbiEaDvdF5Pm5yNFRvMAGXwzoHGXQWaM2p+8qRPEAkI31QfF Ak64qItPPuAASZ7gyo9MlxQpwApBlqXauCmFBjgeUXp84Wn+XbaP9UKeOWwqGGjwlvWy niES7M4c7+sn12u3bRnqj5Z+lOS7SrTEbsCK1YqYqUdZc+t1QrUwR3TJOXy8RvSVu13J LROQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=PdO1511Rp0WoaUi8iE84eTe2yDibBgIl+mjEIlFBYCA=; b=UfJCxWH97xLGOmiBvDVoUCCYKR8tkEcbvfHRspljwNwy0YaaKlFEYqIK8Lq1MyXBFo G2EcV4w6IPot795eNqtV5tw+0xqoLXhrtrPwFCMyHiJZ10DitAjvKLwwyNHwumKOszrq PypIsj0AYnjerQiHusDkyfOgS/Nq69Z6CMyNOIuHO3UUwSl5rn9Ed8duByT49uEUcfvW xUqM7+mktBXMkMHf0OjHzXgH6mahlAhcOJDqb3EuxGDGsmInHACpLqqXm9Q1KTFa426F qoGy45S2Yn4DLfyPEWEw1jAV46Ghmmb7wud2CDAX8SWLjrJ6JJzz/MOaRbevmgv8WvRt eElw==
X-Gm-Message-State: ALoCoQk41bqR55T9H0nqKk9isI3O6o6uhWJhfeV7fEzfvli8cRdhiLhdPd8Hke99ar2HdAx/ZQwZgSTzir2/ObX7f09IhHbtEz6lo1lrspa2csCqPbWmotFFNFvMTdGgMBS19FNkCW/B1Bav7L0LSGEy3c8I8l7pg346N8tE0rnyEv5btxTa3C+whCmfQwA3HMPqyGtNFzEF
MIME-Version: 1.0
X-Received: by 10.140.33.198 with SMTP id j64mr64246736qgj.14.1391537305784; Tue, 04 Feb 2014 10:08:25 -0800 (PST)
Received: by 10.229.154.208 with HTTP; Tue, 4 Feb 2014 10:08:25 -0800 (PST)
Received: by 10.229.154.208 with HTTP; Tue, 4 Feb 2014 10:08:25 -0800 (PST)
In-Reply-To: <CAL9PXLyWFSfHz_230SkWLvr7sUROPv_k0rfKgmkMRRttk-EjGQ@mail.gmail.com>
References: <CABrd9STwBDxwB1vtmS9Ozb5e_7D=zfOqkOBeAaT2HG7X-cw5gw@mail.gmail.com> <04a001cf21cf$3a649190$af2db4b0$@digicert.com> <CAL9PXLyWFSfHz_230SkWLvr7sUROPv_k0rfKgmkMRRttk-EjGQ@mail.gmail.com>
Date: Tue, 04 Feb 2014 10:08:25 -0800
Message-ID: <CACvaWvbu0=zcEH++LH-sWeiOu_FDPBjsjO15KfK3UN5Q89-FTw@mail.gmail.com>
From: Ryan Sleevi <sleevi@google.com>
To: Adam Langley <agl@chromium.org>
Content-Type: multipart/alternative; boundary="001a1139b400cdac9d04f19886a3"
X-Mailman-Approved-At: Tue, 04 Feb 2014 10:09:00 -0800
Cc: therightkey@ietf.org, certificate-transparency@googlegroups.com, CABFPub <public@cabforum.org>
Subject: Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2014 18:08:29 -0000

One can also use OCSP Stapling or the TLS extension. OCSP stapling is
particularly useful for also dealing with the revocation status in a single
response.
On Feb 4, 2014 9:52 AM, "Adam Langley" <agl@chromium.org> wrote:

> On Tue, Feb 4, 2014 at 12:33 PM, Jeremy Rowley
> <jeremy.rowley@digicert.com> wrote:
> > Three or four proofs for a 27 month certificate is way too many.  The
> number of proofs should be decided based on the customer's risk profile,
> not a set number based on certificate lifecycle. Adding 400 bytes per
> certificate will make EV certificates unusable by entities concerned with
> performance.
>
> The customer doesn't carry the risk: the risk is that we'll be unable
> to revoke a log in clients due to the number of certificates that
> depend on it.
>
> We should make the SCTs as small as possible, the the switch to larger
> initcwnds in recent years has released much of the pressure on keeping
> certificate sizes below the tradition initcwnd limit.
>
>
> Cheers
>
> AGL
> _______________________________________________
> Public mailing list
> Public@cabforum.org
> https://cabforum.org/mailman/listinfo/public
>

v2.23.0 | Report a Bug | By Email