Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan
Ryan Sleevi <sleevi@google.com> Tue, 04 February 2014 19:21 UTC
Return-Path: <sleevi@google.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0C591A01DF for <therightkey@ietfa.amsl.com>; Tue, 4 Feb 2014 11:21:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.913
X-Spam-Level:
X-Spam-Status: No, score=-1.913 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fB7iFB-lUbm7 for <therightkey@ietfa.amsl.com>; Tue, 4 Feb 2014 11:21:47 -0800 (PST)
Received: from mail-qa0-x22a.google.com (mail-qa0-x22a.google.com [IPv6:2607:f8b0:400d:c00::22a]) by ietfa.amsl.com (Postfix) with ESMTP id 60D2A1A0187 for <therightkey@ietf.org>; Tue, 4 Feb 2014 11:21:47 -0800 (PST)
Received: by mail-qa0-f42.google.com with SMTP id k4so13043991qaq.15 for <therightkey@ietf.org>; Tue, 04 Feb 2014 11:21:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=J+1Jah/6mKjqsysNHLH4huALhjSujRYb3vkX5VaU6VU=; b=Y0ymzPz9lvtMH7TYPj1tZWE+l9ydCTWxeXI7uytgqwNCCj2Yq4WMxrmVtvOqj5RX2P 1CZE05YnOsfRESiVR6t1V+KfFZRFl3aoD/ZRWgIocUCIzqPB1PcxjoMG8c9IGzrNbSGB CjHY3AsUGFczcEKehn8FOLc7yN8X50V6Da6p5g9E3Wi1B+G22syjhFIZqAltJ3VmvkNg nlW87ynQQ7ewllOzpMPI8EFFic/EKeyTB+o98k8h1TBB5EUjK9eW6WJyvfla3FyKmq5o u+bIjfZqrZsMBUwA4WHMPRHOXcj+x5u6LZgxk3pY7fzHzJIEY7lLMwXtNAbTqrBLCmKS dQLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=J+1Jah/6mKjqsysNHLH4huALhjSujRYb3vkX5VaU6VU=; b=l2oT045tz6jVFGSX63Uwp0uun8tlRHKKpBtM7MzWZAGQcSUj9IB8nSazOYmRjow/vd sDrvgA3sfF4RBwz6tDZcfWFQ4ZEiYpk/G0gszPXPnSC8vkSWxFCmUPqv0G7jxSNk7o+v oxISFnKISTcUxksNkJEjlwGVCXH7fuz7fCEx3/OZJFw348Sjz3REbLy3uTxKYXWRn3ws L2BIP5ZEKyWU7mAsUKdASz+AUUkNhZWtMnh+z7aW2bok9Uv2pJvcUX5gVUfyCEjnB3NB vBaJ5lDEGo7/9Y/Hk+ZaEHIcFr9mgxt23yETOVpORt/wNV9mPLE0iOAtca2G5d8rcJZI t1GA==
X-Gm-Message-State: ALoCoQku3VmliJqzaA54RTAOLwXOLWpXPPBtS4m0UcbP9FjEtmRbyEbyOJ9pLdhixcHoU3eR9GCUhn4gfLezbOm8ehF7tMj4cSOwcMtf6wg1poFIDGuBT+ssutGg1L2BE4OxgpGqr8ZyOicY+Tw/Mb2e1vy+vR8tu5YDIvdp/72GyUHHW1sdqjeNfll6Cze9z3e8/gwBv1Di
MIME-Version: 1.0
X-Received: by 10.140.109.228 with SMTP id l91mr65092760qgf.72.1391541706759; Tue, 04 Feb 2014 11:21:46 -0800 (PST)
Received: by 10.229.154.208 with HTTP; Tue, 4 Feb 2014 11:21:46 -0800 (PST)
In-Reply-To: <05c401cf21dc$27903e40$76b0bac0$@digicert.com>
References: <CABrd9STwBDxwB1vtmS9Ozb5e_7D=zfOqkOBeAaT2HG7X-cw5gw@mail.gmail.com> <04a001cf21cf$3a649190$af2db4b0$@digicert.com> <CAL9PXLyWFSfHz_230SkWLvr7sUROPv_k0rfKgmkMRRttk-EjGQ@mail.gmail.com> <05bf01cf21db$5146c2a0$f3d447e0$@digicert.com> <05c401cf21dc$27903e40$76b0bac0$@digicert.com>
Date: Tue, 04 Feb 2014 11:21:46 -0800
Message-ID: <CACvaWvav-u1So5QuZtUEqzfV7XV-vFi7HOmussNaPjx=GLje+g@mail.gmail.com>
From: Ryan Sleevi <sleevi@google.com>
To: Jeremy Rowley <jeremy.rowley@digicert.com>
Content-Type: multipart/alternative; boundary="001a1138fa841f333904f1998d3b"
Cc: therightkey@ietf.org, Adam Langley <agl@chromium.org>, certificate-transparency@googlegroups.com, CABFPub <public@cabforum.org>
Subject: Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2014 19:21:52 -0000
On Tue, Feb 4, 2014 at 11:06 AM, Jeremy Rowley <jeremy.rowley@digicert.com>wrote: > Also, I'm not sure how basing the number of logs based on the lifecycle > actually minimizes the impact of log revocation. If a log containing a > couple thousand 1-year certificates is compromised, the damage from > revocation is about the same as a log containing thousands of 3-year certs. > Unless you plan is to revoke the log and wait for all impacted certificates > to actually expire (giving a 12 month risk), the impact depends on the > number of certificates valid at the time of revocation, not the expiration > date of the certificate. > > The "impact" is only present if a single SCT is acceptable. Increasing the number of SCTs decreases the impact of log revocation, as the probability that any given certificate will be directly affected by a single revocation (which is far, far less common one would hope) decreases relative to the number of distinct logs it is logged in. Further, a 1 year certificate that is renewed every year has a greater chance to respond to any revocation events than a 3 year certificate, which will not be re-issued for 3 years, and thus is unable to respond to any revocation events (as unlikely as they may be) that happen in the interim. > -----Original Message----- > From: public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] On > Behalf Of Jeremy Rowley > Sent: Tuesday, February 04, 2014 12:00 PM > To: 'Adam Langley'; certificate-transparency@googlegroups.com > Cc: therightkey@ietf.org; 'CABFPub' > Subject: Re: [cabfpub] [therightkey] Updated Certificate Transparency + > Extended Validation plan > > The entire point is to disclose the entire universe of public certificates > to the customer. If the customer doesn't want to use it, the purpose is no > longer being fulfilled. The way we plan on implementing CT will ensure logs > are not irrevocable. I agree we should make SCTs as small as possible, but > the last I've heard from our team is they are still at 100 bytes per log. > > Jeremy > > -----Original Message----- > From: therightkey [mailto:therightkey-bounces@ietf.org] On Behalf Of Adam > Langley > Sent: Tuesday, February 04, 2014 10:52 AM > To: certificate-transparency@googlegroups.com > Cc: therightkey@ietf.org; Ben Laurie; CABFPub > Subject: Re: [therightkey] [cabfpub] Updated Certificate Transparency + > Extended Validation plan > > On Tue, Feb 4, 2014 at 12:33 PM, Jeremy Rowley <jeremy.rowley@digicert.com > > > wrote: > > Three or four proofs for a 27 month certificate is way too many. The > number of proofs should be decided based on the customer's risk profile, > not > a set number based on certificate lifecycle. Adding 400 bytes per > certificate will make EV certificates unusable by entities concerned with > performance. > > The customer doesn't carry the risk: the risk is that we'll be unable to > revoke a log in clients due to the number of certificates that depend on > it. > > We should make the SCTs as small as possible, the the switch to larger > initcwnds in recent years has released much of the pressure on keeping > certificate sizes below the tradition initcwnd limit. > > > Cheers > > AGL > _______________________________________________ > therightkey mailing list > therightkey@ietf.org > https://www.ietf.org/mailman/listinfo/therightkey > > _______________________________________________ > Public mailing list > Public@cabforum.org > https://cabforum.org/mailman/listinfo/public > > _______________________________________________ > Public mailing list > Public@cabforum.org > https://cabforum.org/mailman/listinfo/public >
- [therightkey] Updated Certificate Transparency + … Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] Updated Certificate Transparenc… Wayne Thayer
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… Wayne Thayer
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… Wayne Thayer
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… Wayne Thayer
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- [therightkey] Thoughts on reducing SCT sizes (was… Rob Stradling
- Re: [therightkey] Updated Certificate Transparenc… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] EXTERNAL: Re: [cabfpub] Updated… Mehner, Carl
- Re: [therightkey] Updated Certificate Transparenc… Rob Stradling
- Re: [therightkey] Updated Certificate Transparenc… Adam Langley
- Re: [therightkey] [cabfpub] Thoughts on reducing … Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Carl Wallace
- Re: [therightkey] Updated Certificate Transparenc… Paul Hoffman
- Re: [therightkey] Updated Certificate Transparenc… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] Updated Certificate Transparenc… Paul Hoffman
- Re: [therightkey] Updated Certificate Transparenc… Rob Stradling
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] Updated Certificate Transparenc… Rick Andrews
- Re: [therightkey] Updated Certificate Transparenc… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… michal.proszkiewicz
- Re: [therightkey] Updated Certificate Transparenc… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Ben Laurie
- Re: [therightkey] Updated Certificate Transparenc… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] [cabfpub] Updated Certificate T… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] Updated Certificate Transparenc… Rick Andrews
- Re: [therightkey] [cabfpub] Updated Certificate T… Chema López González
- Re: [therightkey] Updated Certificate Transparenc… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… kirk_hall@trendmicro.com
- Re: [therightkey] [cabfpub] Thoughts on reducing … Ben Laurie
- Re: [therightkey] [cabfpub] Thoughts on reducing … Tim Moses
- Re: [therightkey] [cabfpub] Thoughts on reducing … Ben Laurie
- Re: [therightkey] [cabfpub] Thoughts on reducing … Daniel Kahn Gillmor
- Re: [therightkey] [cabfpub] Thoughts on reducing … Ben Laurie
- Re: [therightkey] [cabfpub] Thoughts on reducing … Daniel Kahn Gillmor
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] [cabfpub] Updated Certificate T… i-barreira
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] [cabfpub] Updated Certificate T… Mat Caughron
- Re: [therightkey] [cabfpub] Updated Certificate T… Mat Caughron