IETF Logo Mail Archive

Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan

Ben Laurie <benl@google.com> Tue, 04 February 2014 20:54 UTC

Return-Path: <benl@google.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A3061A011F for <therightkey@ietfa.amsl.com>; Tue, 4 Feb 2014 12:54:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.914
X-Spam-Level:
X-Spam-Status: No, score=-1.914 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wI2NNAmRPahC for <therightkey@ietfa.amsl.com>; Tue, 4 Feb 2014 12:54:14 -0800 (PST)
Received: from mail-vc0-x22b.google.com (mail-vc0-x22b.google.com [IPv6:2607:f8b0:400c:c03::22b]) by ietfa.amsl.com (Postfix) with ESMTP id ADC2A1A00EC for <therightkey@ietf.org>; Tue, 4 Feb 2014 12:54:14 -0800 (PST)
Received: by mail-vc0-f171.google.com with SMTP id le5so6257907vcb.16 for <therightkey@ietf.org>; Tue, 04 Feb 2014 12:54:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Zjw6nPutzgSAnTN+xdpgDWaGrBcEvaD+DtAUwYQYwoo=; b=ZCiHDzoqp0vbo4jA35Jo77NlEuAj/dRDkEqsrXWokJgz3+hk+R44FBBs4HAjBIzaHJ aEIcXCw9ZA/60Hdfv9QeElO+22LCob+N38Y6035SMK6SxJbsr3xoY3FhAWzp0qu8M02L a+untnkWCzD/2VUAXK83qCZF32t0uJIGaZIXHgpWDrqY5HZ/IN12wx/GEnkDImQGQTIK NDCueGdtawMZ8aPl2iKk1ARTiHXUvsWjse0CD87pwlz7jSrvptjC1dXFUZCgyenIt2oT 1esnfn1MFib77nnJEVoQ9BKfu7Hooq5dacBfF4RjtykLywqPZYmhuhdTLIKrWfPuC8Wo jh9w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=Zjw6nPutzgSAnTN+xdpgDWaGrBcEvaD+DtAUwYQYwoo=; b=W/4Hul6g7PoqtyPTQAEmr+jXmGDHuH5HlHPXFH48SIFJnKANzIJ1BkoPRjruNPK5bw shBlyfITrVjoA4BGk8/FF4CBjtq5CAJREGEuIbvN8kPSOZODoCjNhxv/KavgIbAp3fA3 casozTXZpjkfIfxhs6bBySfE48/A32rU6NeiFFvthvEcQgOySUB+sAhyPL0z16b2IJv5 pmh3V9SXbuOwNF/TtwAjD75c8y46ThFa3XCAsOP4dxhZ7EzpeJ4rAGw/Ac9Z+z1hPHMN uC+Ayi2fE4kvDgmkcvejS3P2MMp0XF/A0Ua2qFhFcwguTWOs1DOvP72t4yNJsgaMxSv4 2eeQ==
X-Gm-Message-State: ALoCoQnM01NKuzRWTGcKKXpflrx6vSZnV0KfVPSecgeKRcSv+6vzmX0KoGvHBfYxn2ZR7xJY6zidh49apZhwaq4EhlYfWlTgvObt7jNpbrQHXgjTH4yyajfmPzhu42Yh5ANuEsEBe2BmIfoFg0FMGjbk5tJRt4jpPxAWKkZ1iirjqFykq16y4PHaC+OtSyqwf9XInP2+q7Wk
MIME-Version: 1.0
X-Received: by 10.52.61.168 with SMTP id q8mr1473495vdr.40.1391547254064; Tue, 04 Feb 2014 12:54:14 -0800 (PST)
Received: by 10.52.230.105 with HTTP; Tue, 4 Feb 2014 12:54:13 -0800 (PST)
In-Reply-To: <CAL9PXLzKqwNavow6Vhm9FBD_9U_PepNSxfRZfQv7=r7vDeb07w@mail.gmail.com>
References: <CABrd9STwBDxwB1vtmS9Ozb5e_7D=zfOqkOBeAaT2HG7X-cw5gw@mail.gmail.com> <04a001cf21cf$3a649190$af2db4b0$@digicert.com> <01dc01cf21db$146dac40$3d4904c0$@globalsign.com> <CAL9PXLzFNCmwrQVBJKPuB8v2hSe6akT-rFku=p60PicLYH8JMA@mail.gmail.com> <05c501cf21dc$bbc70da0$335528e0$@digicert.com> <CAL9PXLxx3gNRSN7FF1T=uQv6q5qooKNjO7Q1FSsZPLmSFt9NSQ@mail.gmail.com> <063601cf21e5$2e696440$8b3c2cc0$@digicert.com> <CAL9PXLywZUgLjAABQbtVoid2wSCmR6epOgFjC5jDoA90nUnWzQ@mail.gmail.com> <066901cf21e7$2bf25ee0$83d71ca0$@digicert.com> <CAL9PXLx_5_0cc0yCYUROqM7FN6c2HR+vmkxeWBxPNf+gq0wVNw@mail.gmail.com> <069201cf21e8$f5b8c510$e12a4f30$@digicert.com> <CAL9PXLzKqwNavow6Vhm9FBD_9U_PepNSxfRZfQv7=r7vDeb07w@mail.gmail.com>
Date: Tue, 04 Feb 2014 20:54:13 +0000
Message-ID: <CABrd9SQ=wWpc4TmCBRfTWeLhvmYWuECaHnQP=HP8xDYMfq1Kaw@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: certificate-transparency@googlegroups.com
Content-Type: text/plain; charset="UTF-8"
Cc: therightkey <therightkey@ietf.org>, CABFPub <public@cabforum.org>
Subject: Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2014 20:54:16 -0000

On 4 February 2014 20:50, Adam Langley <agl@chromium.org> wrote:
> On Tue, Feb 4, 2014 at 3:37 PM, Jeremy Rowley
> <jeremy.rowley@digicert.com> wrote:
>> Doesn't that simply require the cert user to either start using OCSP with an
>> embedded certificate or getting a new certificate from the user?
>
> If the certificate was used with OCSP stapling, the CA had a
> reasonably short OCSP validity window and the CA could update the SCT
> in the OCSP response quickly then that would solve the problem.
>
> However, for the purposes of this spec I don't think we said anything
> about that because of the complexity. Having multiple SCTs is clearly
> ok and that kept things simple.

Actually, we do. For the TLS extension and OCSP stapling a single SCT
is allowed.

v2.23.0 | Report a Bug | By Email