IETF Logo Mail Archive

Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan

"Jeremy Rowley" <jeremy.rowley@digicert.com> Tue, 04 February 2014 19:10 UTC

Return-Path: <jeremy.rowley@digicert.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F6F81A01CD for <therightkey@ietfa.amsl.com>; Tue, 4 Feb 2014 11:10:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.837
X-Spam-Level:
X-Spam-Status: No, score=-4.837 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.535, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C23S9i7TS7Ag for <therightkey@ietfa.amsl.com>; Tue, 4 Feb 2014 11:10:10 -0800 (PST)
Received: from mail.digicert.com (mail.digicert.com [64.78.193.232]) by ietfa.amsl.com (Postfix) with ESMTP id BDC2B1A01D1 for <therightkey@ietf.org>; Tue, 4 Feb 2014 11:10:09 -0800 (PST)
Received: from JROWLEYL1 (unknown [67.137.52.8]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.digicert.com (Postfix) with ESMTPSA id 36FE08FA0B0; Tue, 4 Feb 2014 12:10:09 -0700 (MST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digicert.com; s=mail; t=1391541009; bh=F+V0GEne23lw4CXIWYRP2EmkuP1vUFI271grt8y1HWs=; h=From:To:Cc:References:In-Reply-To:Subject:Date; b=OdEPfDS2LfADcQgeeAT9u8pXl9FTPRgtYQM/TZd5uG3jhHsj7IVUg9No0xzX2rwB7 62IIjP1L4u6cT+9uGVVr3u8p/NDlAgoSl/4rn/hUYjUOTM+KCx+622RS6nKKbi2hmm 3txdydSNoswfljal7+8SaqLXm1VxE6YDdXbw+pHc=
From: Jeremy Rowley <jeremy.rowley@digicert.com>
To: 'Adam Langley' <agl@chromium.org>, 'certificate-transparency' <certificate-transparency@googlegroups.com>
References: <CABrd9STwBDxwB1vtmS9Ozb5e_7D=zfOqkOBeAaT2HG7X-cw5gw@mail.gmail.com> <04a001cf21cf$3a649190$af2db4b0$@digicert.com> <01dc01cf21db$146dac40$3d4904c0$@globalsign.com> <CAL9PXLzFNCmwrQVBJKPuB8v2hSe6akT-rFku=p60PicLYH8JMA@mail.gmail.com>
In-Reply-To: <CAL9PXLzFNCmwrQVBJKPuB8v2hSe6akT-rFku=p60PicLYH8JMA@mail.gmail.com>
Date: Tue, 04 Feb 2014 12:10:13 -0700
Message-ID: <05c501cf21dc$bbc70da0$335528e0$@digicert.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGGS/IGH2GP3iOZeF9RA+GsPjuqQQF9nIx2AcGvbgECdUvoyJsJe7iQ
Content-Language: en-us
Cc: 'therightkey' <therightkey@ietf.org>, 'Ben Laurie' <benl@google.com>, 'CABFPub' <public@cabforum.org>
Subject: Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2014 19:10:12 -0000

I do not think this is correct.  The number of proofs actually increases as you decrease validity periods. A 2-year certificate only lets the customer skip a year in the renewal process.  A 2-year certificate will lower the number of certificates logged by one (since the customer would need to log two 1-year certificates instead of one 2-year certificate). The number of domains requiring a certificate identifies the quantity of proofs, not the number of certificates actually issued.

Jeremy

-----Original Message-----
From: agl@google.com [mailto:agl@google.com] On Behalf Of Adam Langley
Sent: Tuesday, February 04, 2014 12:05 PM
To: certificate-transparency
Cc: Jeremy Rowley; Ben Laurie; CABFPub; therightkey
Subject: Re: [cabfpub] Updated Certificate Transparency + Extended Validation plan

On Tue, Feb 4, 2014 at 1:58 PM, Doug Beattie <doug.beattie@globalsign.com> wrote:
> The number of proofs should be related to the reputation of the CA, 
> the number of years the CA has been in business

I think you're assuming that a larger number of proofs is designed to catch possible malpractice on the part of the CA, but that's not it at all.

The aim is to make sure that bad /logs/ can be distrusted. The major obstacle to killing logs is that certificates depend on the proofs and that, if we killed all the logs that a certificate was depending on, the site in question might go dark. In order to make sure that logs can be distrusted without blowback, the number of proofs increases as the duration of the certificate does. Thus, even if we kill one log every 12 months (which we certainly hope not to do!), longer lived certificates would still be functional towards the end of their lives.


Cheers

AGL

v2.23.0 | Report a Bug | By Email