IETF Logo Mail Archive

Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan

Ryan Sleevi <sleevi@google.com> Tue, 04 February 2014 19:21 UTC

Return-Path: <sleevi@google.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0C591A01DF for <therightkey@ietfa.amsl.com>; Tue, 4 Feb 2014 11:21:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.913
X-Spam-Level:
X-Spam-Status: No, score=-1.913 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fB7iFB-lUbm7 for <therightkey@ietfa.amsl.com>; Tue, 4 Feb 2014 11:21:47 -0800 (PST)
Received: from mail-qa0-x22a.google.com (mail-qa0-x22a.google.com [IPv6:2607:f8b0:400d:c00::22a]) by ietfa.amsl.com (Postfix) with ESMTP id 60D2A1A0187 for <therightkey@ietf.org>; Tue, 4 Feb 2014 11:21:47 -0800 (PST)
Received: by mail-qa0-f42.google.com with SMTP id k4so13043991qaq.15 for <therightkey@ietf.org>; Tue, 04 Feb 2014 11:21:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=J+1Jah/6mKjqsysNHLH4huALhjSujRYb3vkX5VaU6VU=; b=Y0ymzPz9lvtMH7TYPj1tZWE+l9ydCTWxeXI7uytgqwNCCj2Yq4WMxrmVtvOqj5RX2P 1CZE05YnOsfRESiVR6t1V+KfFZRFl3aoD/ZRWgIocUCIzqPB1PcxjoMG8c9IGzrNbSGB CjHY3AsUGFczcEKehn8FOLc7yN8X50V6Da6p5g9E3Wi1B+G22syjhFIZqAltJ3VmvkNg nlW87ynQQ7ewllOzpMPI8EFFic/EKeyTB+o98k8h1TBB5EUjK9eW6WJyvfla3FyKmq5o u+bIjfZqrZsMBUwA4WHMPRHOXcj+x5u6LZgxk3pY7fzHzJIEY7lLMwXtNAbTqrBLCmKS dQLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=J+1Jah/6mKjqsysNHLH4huALhjSujRYb3vkX5VaU6VU=; b=l2oT045tz6jVFGSX63Uwp0uun8tlRHKKpBtM7MzWZAGQcSUj9IB8nSazOYmRjow/vd sDrvgA3sfF4RBwz6tDZcfWFQ4ZEiYpk/G0gszPXPnSC8vkSWxFCmUPqv0G7jxSNk7o+v oxISFnKISTcUxksNkJEjlwGVCXH7fuz7fCEx3/OZJFw348Sjz3REbLy3uTxKYXWRn3ws L2BIP5ZEKyWU7mAsUKdASz+AUUkNhZWtMnh+z7aW2bok9Uv2pJvcUX5gVUfyCEjnB3NB vBaJ5lDEGo7/9Y/Hk+ZaEHIcFr9mgxt23yETOVpORt/wNV9mPLE0iOAtca2G5d8rcJZI t1GA==
X-Gm-Message-State: ALoCoQku3VmliJqzaA54RTAOLwXOLWpXPPBtS4m0UcbP9FjEtmRbyEbyOJ9pLdhixcHoU3eR9GCUhn4gfLezbOm8ehF7tMj4cSOwcMtf6wg1poFIDGuBT+ssutGg1L2BE4OxgpGqr8ZyOicY+Tw/Mb2e1vy+vR8tu5YDIvdp/72GyUHHW1sdqjeNfll6Cze9z3e8/gwBv1Di
MIME-Version: 1.0
X-Received: by 10.140.109.228 with SMTP id l91mr65092760qgf.72.1391541706759; Tue, 04 Feb 2014 11:21:46 -0800 (PST)
Received: by 10.229.154.208 with HTTP; Tue, 4 Feb 2014 11:21:46 -0800 (PST)
In-Reply-To: <05c401cf21dc$27903e40$76b0bac0$@digicert.com>
References: <CABrd9STwBDxwB1vtmS9Ozb5e_7D=zfOqkOBeAaT2HG7X-cw5gw@mail.gmail.com> <04a001cf21cf$3a649190$af2db4b0$@digicert.com> <CAL9PXLyWFSfHz_230SkWLvr7sUROPv_k0rfKgmkMRRttk-EjGQ@mail.gmail.com> <05bf01cf21db$5146c2a0$f3d447e0$@digicert.com> <05c401cf21dc$27903e40$76b0bac0$@digicert.com>
Date: Tue, 04 Feb 2014 11:21:46 -0800
Message-ID: <CACvaWvav-u1So5QuZtUEqzfV7XV-vFi7HOmussNaPjx=GLje+g@mail.gmail.com>
From: Ryan Sleevi <sleevi@google.com>
To: Jeremy Rowley <jeremy.rowley@digicert.com>
Content-Type: multipart/alternative; boundary="001a1138fa841f333904f1998d3b"
Cc: therightkey@ietf.org, Adam Langley <agl@chromium.org>, certificate-transparency@googlegroups.com, CABFPub <public@cabforum.org>
Subject: Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2014 19:21:52 -0000

On Tue, Feb 4, 2014 at 11:06 AM, Jeremy Rowley
<jeremy.rowley@digicert.com>wrote:

> Also, I'm not sure how basing the number of logs based on the lifecycle
> actually minimizes the impact of log revocation. If a log containing a
> couple thousand 1-year certificates is compromised, the damage from
> revocation is about the same as a log containing thousands of 3-year certs.
> Unless you plan is to revoke the log and wait for all impacted certificates
> to actually expire (giving a 12 month risk), the impact depends on the
> number of certificates valid at the time of revocation, not the expiration
> date of the certificate.
>
>
The "impact" is only present if a single SCT is acceptable.

Increasing the number of SCTs decreases the impact of log revocation, as
the probability that any given certificate will be directly affected by a
single revocation (which is far, far less common one would hope) decreases
relative to the number of distinct logs it is logged in.

Further, a 1 year certificate that is renewed every year has a greater
chance to respond to any revocation events than a 3 year certificate, which
will not be re-issued for 3 years, and thus is unable to respond to any
revocation events (as unlikely as they may be) that happen in the interim.


> -----Original Message-----
> From: public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] On
> Behalf Of Jeremy Rowley
> Sent: Tuesday, February 04, 2014 12:00 PM
> To: 'Adam Langley'; certificate-transparency@googlegroups.com
> Cc: therightkey@ietf.org; 'CABFPub'
> Subject: Re: [cabfpub] [therightkey] Updated Certificate Transparency +
> Extended Validation plan
>
> The entire point is to disclose the entire universe of public certificates
> to the customer.  If the customer doesn't want to use it, the purpose is no
> longer being fulfilled. The way we plan on implementing CT will ensure logs
> are not irrevocable.  I agree we should make SCTs as small as possible, but
> the last I've heard from our team is  they are still at 100 bytes per log.
>
> Jeremy
>
> -----Original Message-----
> From: therightkey [mailto:therightkey-bounces@ietf.org] On Behalf Of Adam
> Langley
> Sent: Tuesday, February 04, 2014 10:52 AM
> To: certificate-transparency@googlegroups.com
> Cc: therightkey@ietf.org; Ben Laurie; CABFPub
> Subject: Re: [therightkey] [cabfpub] Updated Certificate Transparency +
> Extended Validation plan
>
> On Tue, Feb 4, 2014 at 12:33 PM, Jeremy Rowley <jeremy.rowley@digicert.com
> >
> wrote:
> > Three or four proofs for a 27 month certificate is way too many.  The
> number of proofs should be decided based on the customer's risk profile,
> not
> a set number based on certificate lifecycle. Adding 400 bytes per
> certificate will make EV certificates unusable by entities concerned with
> performance.
>
> The customer doesn't carry the risk: the risk is that we'll be unable to
> revoke a log in clients due to the number of certificates that depend on
> it.
>
> We should make the SCTs as small as possible, the the switch to larger
> initcwnds in recent years has released much of the pressure on keeping
> certificate sizes below the tradition initcwnd limit.
>
>
> Cheers
>
> AGL
> _______________________________________________
> therightkey mailing list
> therightkey@ietf.org
> https://www.ietf.org/mailman/listinfo/therightkey
>
> _______________________________________________
> Public mailing list
> Public@cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
> _______________________________________________
> Public mailing list
> Public@cabforum.org
> https://cabforum.org/mailman/listinfo/public
>

v2.23.0 | Report a Bug | By Email