IETF Logo Mail Archive

Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan

Ryan Sleevi <sleevi@google.com> Tue, 04 February 2014 21:14 UTC

Return-Path: <sleevi@google.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CEB01A012C for <therightkey@ietfa.amsl.com>; Tue, 4 Feb 2014 13:14:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.913
X-Spam-Level:
X-Spam-Status: No, score=-1.913 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZwoacXfh5w3u for <therightkey@ietfa.amsl.com>; Tue, 4 Feb 2014 13:14:52 -0800 (PST)
Received: from mail-qc0-x22b.google.com (mail-qc0-x22b.google.com [IPv6:2607:f8b0:400d:c01::22b]) by ietfa.amsl.com (Postfix) with ESMTP id 013E91A010F for <therightkey@ietf.org>; Tue, 4 Feb 2014 13:14:51 -0800 (PST)
Received: by mail-qc0-f171.google.com with SMTP id n7so14636199qcx.2 for <therightkey@ietf.org>; Tue, 04 Feb 2014 13:14:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=u3FqsFx0WuK3PjpXFSZFDdOi8DIMeSzQDnqI++vHB70=; b=JFaSJJh6qX4rrpMnUFbF59QZZUEbI9SWIUTatDmTJHad7ZpTdOUNzVFHK2ZiEN+tbX xvwmxiUUxCHvmbQaiu5XqlsqPZhIIDWxmvIkhDAEBNTSRz+YAz6V29da3OY2ZwpHyADT qUkC/4DcPkwQCrHg7DLWFISaAfCUhjs/mbCqycrebfXE7y8nWT2ftaSSsVoo/JYcNx6e alcpsOwBnvPsj816n1FBZictZfs9pECjVoERhOOmlq1PZ98faqGp+dipJWv0OaLWoH/d LYY8j/NCXrKLKtsYE/6nr8diihaXfZnCpnTPL7Sp0UUJAgfz3/ThlG3MAnqmxa2TqFgX w9EA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=u3FqsFx0WuK3PjpXFSZFDdOi8DIMeSzQDnqI++vHB70=; b=KrESjop2XnawU/kAbPmB14Fp5Es8w36JYLlDMh2OKJd1ILKB/ayT8DnQmgSrIxFpqz TgJuKOlnzYPAPsIa4duTGofsEhv06H5w1LKZGKi2eGG3ShxP5DIXFEnwRQokZFwkZKfv qwwNxMvvcDNyFytyEoe5KvoDZXTXl/PpW0n4vbghaGCNLn3DuC2VjLwD3x+YaQP9bQqT sX27Cnzipn9Uw0lT/WiYrtrqVpT9GUWsQCv2OUleZteFB7cDTQMNrEa93SaEVeZ9H3pj Bafs/TFnhC7JFCWJLJe8b2Ks20Qix43UxyIP6KRUIMeszD4Ocmfc5D67wKxHWfgqWMNc Uv2w==
X-Gm-Message-State: ALoCoQluASFS2gGMQpvLGYR5IV80+FSy2mVw+S/HNuoog0jEYooUu4sb9YzrvSuJ9ptQUhLALAqdspnsaP31uSAj/pZ4YMwx+Yum5HOsASGr7b6iNR0cWz9Xc2KDj0hY8yZdmglXUNFletGBLm3HdBXKM1+aTx2cuJlpmlbiTeC8/+sYETGIvwW4rRjbBm1+1sRqMhHYOe+c
MIME-Version: 1.0
X-Received: by 10.224.74.129 with SMTP id u1mr5058658qaj.49.1391548491306; Tue, 04 Feb 2014 13:14:51 -0800 (PST)
Received: by 10.229.154.208 with HTTP; Tue, 4 Feb 2014 13:14:51 -0800 (PST)
In-Reply-To: <CAL9PXLzKqwNavow6Vhm9FBD_9U_PepNSxfRZfQv7=r7vDeb07w@mail.gmail.com>
References: <CABrd9STwBDxwB1vtmS9Ozb5e_7D=zfOqkOBeAaT2HG7X-cw5gw@mail.gmail.com> <04a001cf21cf$3a649190$af2db4b0$@digicert.com> <01dc01cf21db$146dac40$3d4904c0$@globalsign.com> <CAL9PXLzFNCmwrQVBJKPuB8v2hSe6akT-rFku=p60PicLYH8JMA@mail.gmail.com> <05c501cf21dc$bbc70da0$335528e0$@digicert.com> <CAL9PXLxx3gNRSN7FF1T=uQv6q5qooKNjO7Q1FSsZPLmSFt9NSQ@mail.gmail.com> <063601cf21e5$2e696440$8b3c2cc0$@digicert.com> <CAL9PXLywZUgLjAABQbtVoid2wSCmR6epOgFjC5jDoA90nUnWzQ@mail.gmail.com> <066901cf21e7$2bf25ee0$83d71ca0$@digicert.com> <CAL9PXLx_5_0cc0yCYUROqM7FN6c2HR+vmkxeWBxPNf+gq0wVNw@mail.gmail.com> <069201cf21e8$f5b8c510$e12a4f30$@digicert.com> <CAL9PXLzKqwNavow6Vhm9FBD_9U_PepNSxfRZfQv7=r7vDeb07w@mail.gmail.com>
Date: Tue, 04 Feb 2014 13:14:51 -0800
Message-ID: <CACvaWva9ZQda7POS8OQH65QKe0LryV4NF9yG5nGj5n=JeivDcw@mail.gmail.com>
From: Ryan Sleevi <sleevi@google.com>
To: Adam Langley <agl@chromium.org>
Content-Type: multipart/alternative; boundary="089e01538ddc8327a204f19b214e"
Cc: therightkey <therightkey@ietf.org>, certificate-transparency <certificate-transparency@googlegroups.com>, CABFPub <public@cabforum.org>
Subject: Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2014 21:14:54 -0000

On Tue, Feb 4, 2014 at 12:50 PM, Adam Langley <agl@chromium.org> wrote:

> On Tue, Feb 4, 2014 at 3:37 PM, Jeremy Rowley
> <jeremy.rowley@digicert.com> wrote:
> > Doesn't that simply require the cert user to either start using OCSP
> with an
> > embedded certificate or getting a new certificate from the user?
>
> If the certificate was used with OCSP stapling, the CA had a
> reasonably short OCSP validity window and the CA could update the SCT
> in the OCSP response quickly then that would solve the problem.
>
> However, for the purposes of this spec I don't think we said anything
> about that because of the complexity. Having multiple SCTs is clearly
> ok and that kept things simple.
>
> > Plus, under the current plan, the site doesn't go dark. Instead, their
> EV cert isn't recognized as an EV certificate.
>
> For EV certificates the problem is greatly reduced. But EV
> certificates are just a trial for doing it universally and we have the
> end state in mind.


Also, EV has the added benefit of recommending/requiring (depending on
which doc) fresh revocation checks. As such, CAs that feel that multiple
logs are too onerous can benefit from the OCSP delivery method. Failing to
obtain fresh revocation information can already cause a loss of EV UI, so
including an SCT should be a much less onerous cross to bear.

It also allows for issuance patterns other than pre-certs.

Of course, it means that any sites purchasing certificates from such a CA
support OCSP stapling.

v2.23.0 | Report a Bug | By Email