Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan
Ryan Sleevi <sleevi@google.com> Tue, 04 February 2014 21:14 UTC
Return-Path: <sleevi@google.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CEB01A012C for <therightkey@ietfa.amsl.com>; Tue, 4 Feb 2014 13:14:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.913
X-Spam-Level:
X-Spam-Status: No, score=-1.913 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZwoacXfh5w3u for <therightkey@ietfa.amsl.com>; Tue, 4 Feb 2014 13:14:52 -0800 (PST)
Received: from mail-qc0-x22b.google.com (mail-qc0-x22b.google.com [IPv6:2607:f8b0:400d:c01::22b]) by ietfa.amsl.com (Postfix) with ESMTP id 013E91A010F for <therightkey@ietf.org>; Tue, 4 Feb 2014 13:14:51 -0800 (PST)
Received: by mail-qc0-f171.google.com with SMTP id n7so14636199qcx.2 for <therightkey@ietf.org>; Tue, 04 Feb 2014 13:14:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=u3FqsFx0WuK3PjpXFSZFDdOi8DIMeSzQDnqI++vHB70=; b=JFaSJJh6qX4rrpMnUFbF59QZZUEbI9SWIUTatDmTJHad7ZpTdOUNzVFHK2ZiEN+tbX xvwmxiUUxCHvmbQaiu5XqlsqPZhIIDWxmvIkhDAEBNTSRz+YAz6V29da3OY2ZwpHyADT qUkC/4DcPkwQCrHg7DLWFISaAfCUhjs/mbCqycrebfXE7y8nWT2ftaSSsVoo/JYcNx6e alcpsOwBnvPsj816n1FBZictZfs9pECjVoERhOOmlq1PZ98faqGp+dipJWv0OaLWoH/d LYY8j/NCXrKLKtsYE/6nr8diihaXfZnCpnTPL7Sp0UUJAgfz3/ThlG3MAnqmxa2TqFgX w9EA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=u3FqsFx0WuK3PjpXFSZFDdOi8DIMeSzQDnqI++vHB70=; b=KrESjop2XnawU/kAbPmB14Fp5Es8w36JYLlDMh2OKJd1ILKB/ayT8DnQmgSrIxFpqz TgJuKOlnzYPAPsIa4duTGofsEhv06H5w1LKZGKi2eGG3ShxP5DIXFEnwRQokZFwkZKfv qwwNxMvvcDNyFytyEoe5KvoDZXTXl/PpW0n4vbghaGCNLn3DuC2VjLwD3x+YaQP9bQqT sX27Cnzipn9Uw0lT/WiYrtrqVpT9GUWsQCv2OUleZteFB7cDTQMNrEa93SaEVeZ9H3pj Bafs/TFnhC7JFCWJLJe8b2Ks20Qix43UxyIP6KRUIMeszD4Ocmfc5D67wKxHWfgqWMNc Uv2w==
X-Gm-Message-State: ALoCoQluASFS2gGMQpvLGYR5IV80+FSy2mVw+S/HNuoog0jEYooUu4sb9YzrvSuJ9ptQUhLALAqdspnsaP31uSAj/pZ4YMwx+Yum5HOsASGr7b6iNR0cWz9Xc2KDj0hY8yZdmglXUNFletGBLm3HdBXKM1+aTx2cuJlpmlbiTeC8/+sYETGIvwW4rRjbBm1+1sRqMhHYOe+c
MIME-Version: 1.0
X-Received: by 10.224.74.129 with SMTP id u1mr5058658qaj.49.1391548491306; Tue, 04 Feb 2014 13:14:51 -0800 (PST)
Received: by 10.229.154.208 with HTTP; Tue, 4 Feb 2014 13:14:51 -0800 (PST)
In-Reply-To: <CAL9PXLzKqwNavow6Vhm9FBD_9U_PepNSxfRZfQv7=r7vDeb07w@mail.gmail.com>
References: <CABrd9STwBDxwB1vtmS9Ozb5e_7D=zfOqkOBeAaT2HG7X-cw5gw@mail.gmail.com> <04a001cf21cf$3a649190$af2db4b0$@digicert.com> <01dc01cf21db$146dac40$3d4904c0$@globalsign.com> <CAL9PXLzFNCmwrQVBJKPuB8v2hSe6akT-rFku=p60PicLYH8JMA@mail.gmail.com> <05c501cf21dc$bbc70da0$335528e0$@digicert.com> <CAL9PXLxx3gNRSN7FF1T=uQv6q5qooKNjO7Q1FSsZPLmSFt9NSQ@mail.gmail.com> <063601cf21e5$2e696440$8b3c2cc0$@digicert.com> <CAL9PXLywZUgLjAABQbtVoid2wSCmR6epOgFjC5jDoA90nUnWzQ@mail.gmail.com> <066901cf21e7$2bf25ee0$83d71ca0$@digicert.com> <CAL9PXLx_5_0cc0yCYUROqM7FN6c2HR+vmkxeWBxPNf+gq0wVNw@mail.gmail.com> <069201cf21e8$f5b8c510$e12a4f30$@digicert.com> <CAL9PXLzKqwNavow6Vhm9FBD_9U_PepNSxfRZfQv7=r7vDeb07w@mail.gmail.com>
Date: Tue, 04 Feb 2014 13:14:51 -0800
Message-ID: <CACvaWva9ZQda7POS8OQH65QKe0LryV4NF9yG5nGj5n=JeivDcw@mail.gmail.com>
From: Ryan Sleevi <sleevi@google.com>
To: Adam Langley <agl@chromium.org>
Content-Type: multipart/alternative; boundary="089e01538ddc8327a204f19b214e"
Cc: therightkey <therightkey@ietf.org>, certificate-transparency <certificate-transparency@googlegroups.com>, CABFPub <public@cabforum.org>
Subject: Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2014 21:14:54 -0000
On Tue, Feb 4, 2014 at 12:50 PM, Adam Langley <agl@chromium.org> wrote: > On Tue, Feb 4, 2014 at 3:37 PM, Jeremy Rowley > <jeremy.rowley@digicert.com> wrote: > > Doesn't that simply require the cert user to either start using OCSP > with an > > embedded certificate or getting a new certificate from the user? > > If the certificate was used with OCSP stapling, the CA had a > reasonably short OCSP validity window and the CA could update the SCT > in the OCSP response quickly then that would solve the problem. > > However, for the purposes of this spec I don't think we said anything > about that because of the complexity. Having multiple SCTs is clearly > ok and that kept things simple. > > > Plus, under the current plan, the site doesn't go dark. Instead, their > EV cert isn't recognized as an EV certificate. > > For EV certificates the problem is greatly reduced. But EV > certificates are just a trial for doing it universally and we have the > end state in mind. Also, EV has the added benefit of recommending/requiring (depending on which doc) fresh revocation checks. As such, CAs that feel that multiple logs are too onerous can benefit from the OCSP delivery method. Failing to obtain fresh revocation information can already cause a loss of EV UI, so including an SCT should be a much less onerous cross to bear. It also allows for issuance patterns other than pre-certs. Of course, it means that any sites purchasing certificates from such a CA support OCSP stapling.
- [therightkey] Updated Certificate Transparency + … Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] Updated Certificate Transparenc… Wayne Thayer
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… Wayne Thayer
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… Wayne Thayer
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… Wayne Thayer
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- [therightkey] Thoughts on reducing SCT sizes (was… Rob Stradling
- Re: [therightkey] Updated Certificate Transparenc… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] EXTERNAL: Re: [cabfpub] Updated… Mehner, Carl
- Re: [therightkey] Updated Certificate Transparenc… Rob Stradling
- Re: [therightkey] Updated Certificate Transparenc… Adam Langley
- Re: [therightkey] [cabfpub] Thoughts on reducing … Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Carl Wallace
- Re: [therightkey] Updated Certificate Transparenc… Paul Hoffman
- Re: [therightkey] Updated Certificate Transparenc… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] Updated Certificate Transparenc… Paul Hoffman
- Re: [therightkey] Updated Certificate Transparenc… Rob Stradling
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] Updated Certificate Transparenc… Rick Andrews
- Re: [therightkey] Updated Certificate Transparenc… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… michal.proszkiewicz
- Re: [therightkey] Updated Certificate Transparenc… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Ben Laurie
- Re: [therightkey] Updated Certificate Transparenc… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] [cabfpub] Updated Certificate T… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] Updated Certificate Transparenc… Rick Andrews
- Re: [therightkey] [cabfpub] Updated Certificate T… Chema López González
- Re: [therightkey] Updated Certificate Transparenc… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… kirk_hall@trendmicro.com
- Re: [therightkey] [cabfpub] Thoughts on reducing … Ben Laurie
- Re: [therightkey] [cabfpub] Thoughts on reducing … Tim Moses
- Re: [therightkey] [cabfpub] Thoughts on reducing … Ben Laurie
- Re: [therightkey] [cabfpub] Thoughts on reducing … Daniel Kahn Gillmor
- Re: [therightkey] [cabfpub] Thoughts on reducing … Ben Laurie
- Re: [therightkey] [cabfpub] Thoughts on reducing … Daniel Kahn Gillmor
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] [cabfpub] Updated Certificate T… i-barreira
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] [cabfpub] Updated Certificate T… Mat Caughron
- Re: [therightkey] [cabfpub] Updated Certificate T… Mat Caughron