Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan
Adam Langley <agl@chromium.org> Wed, 05 February 2014 17:49 UTC
Return-Path: <agl@google.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFB431A020C for <therightkey@ietfa.amsl.com>; Wed, 5 Feb 2014 09:49:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.914
X-Spam-Level:
X-Spam-Status: No, score=-1.914 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QrpcnJ-zKEN8 for <therightkey@ietfa.amsl.com>; Wed, 5 Feb 2014 09:49:42 -0800 (PST)
Received: from mail-vb0-x22c.google.com (mail-vb0-x22c.google.com [IPv6:2607:f8b0:400c:c02::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 4F4451A020B for <therightkey@ietf.org>; Wed, 5 Feb 2014 09:49:42 -0800 (PST)
Received: by mail-vb0-f44.google.com with SMTP id f12so554538vbg.31 for <therightkey@ietf.org>; Wed, 05 Feb 2014 09:49:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=KyFfsh2IxGwi323hvcMFbKb7rcLu55g4kD4BF8AMOOA=; b=hSH07WdiOeBXU5Y72cYykiM4a1y+41Sowi0VMfjbuv4xSrRQ1SrD3RttrkhqIJkh3k +ibavDd/3cqpI4jxrAtisY73M6Q8pQyLEfE4QqHb0chyJ1sg6kPFVpuSbYtrNAfWgvJ+ NXK7JVkULHbG0fCmBrB5Pu1796P03FCOrVmMxZee4VH3pL5vx3zoE9bcuJDUhcrVxP5n OgDrmmrFmKKnW3C4CvYTO79tK0+3SqwK94zrh4dLVaLjjDCsC5hN7CiPS8kqnjNT8RV3 C0KnsZDAluRLMRhMtdAWH6VjPaUa2ZsNe5rUql2xbIB2ta6hB4mbGp/q0WSQwBjy7/bc NiIQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=KyFfsh2IxGwi323hvcMFbKb7rcLu55g4kD4BF8AMOOA=; b=fhNhAFxw6KatA6jicqIExlFhfSZxetJdL7Jcs4fSJEgyO5BoZfK9HoH+FMurX23fAA to89ZXpjuIjiZh2XCKq10fZzu/zsbLSsBIXm2WEhmbvdNxECAw3zVWRyUJbfBK7fqfUc m2hFLKwDBNwOLtpTycSzfigDqDM1IdAS9Ukh0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-type; bh=KyFfsh2IxGwi323hvcMFbKb7rcLu55g4kD4BF8AMOOA=; b=O/udXVUaidPaoDQwCuUCVlTjPjsOVFf9wos2XJYF+NNgeQT/lIPEn5SeCqubDHznYF 6T25y4jW+Czwbvj33qc8ttolp07ldE2l9KX8thMs5DnHa7y74U6qHwj8DsxyQBe1sFky jnq3FOXzanM0OAhI2ImOEyMBb473jncD7KgdUvJ6h1pD3fkW7kTwOB4mCOqh1yqQEONR SbiDrZvtbXFqZkY2n4WlxAOto4ZUL0EYDcuWR34JVSC9W7/Bl0Qt9cG53KZ0uBHPWvfT dRc+xuqu2wbMEtpNtgyo1wsePoWXh3/QLWhxbBDf0/GH/pPAEhacCw8tmb3fIQAf926m o/lg==
X-Gm-Message-State: ALoCoQk0mWxLzS5Ll56PqTMQMphD2GMnUnJqba9OqvELAILzvgkQRW49SXV01qH8oSiffAYaWBBkebr0NtGa7pwrMpu4qgV/yr3WacGVT3AQKIawvwdaeGAihXi0X7jKzGUNa52HRJBS0gSBPj9OxIMKmVwkVkM7MuaQIbt5mfOs+fztW9CLTMA4e9wUMaVC3E0Jhyv70iG3
X-Received: by 10.221.40.10 with SMTP id to10mr1838154vcb.22.1391622581354; Wed, 05 Feb 2014 09:49:41 -0800 (PST)
MIME-Version: 1.0
Sender: agl@google.com
Received: by 10.52.104.37 with HTTP; Wed, 5 Feb 2014 09:49:21 -0800 (PST)
In-Reply-To: <52F27445.6040701@comodo.com>
References: <CABrd9STwBDxwB1vtmS9Ozb5e_7D=zfOqkOBeAaT2HG7X-cw5gw@mail.gmail.com> <52F25835.60702@comodo.com> <CAL9PXLzCqvBGW=Du9ZAdMXiVgcO8WJHXf+wG7EuzE2246TFEmg@mail.gmail.com> <52F27445.6040701@comodo.com>
From: Adam Langley <agl@chromium.org>
Date: Wed, 05 Feb 2014 12:49:21 -0500
X-Google-Sender-Auth: WxsQ90hrCMLUQjUqro41rZfq00E
Message-ID: <CAL9PXLzfatu_2LNCrCAKZWYLJArXE7+PDXswGD5fYK0byg-iJQ@mail.gmail.com>
To: certificate-transparency <certificate-transparency@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"
Cc: "therightkey@ietf.org" <therightkey@ietf.org>, CABFPub <public@cabforum.org>
Subject: Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Feb 2014 17:49:44 -0000
On Wed, Feb 5, 2014 at 12:26 PM, Rob Stradling <rob.stradling@comodo.com> wrote: > Presumably it's somewhere between 10 and 31 days, since 1 SCT is acceptable > for Stapled OCSP and the BRs permit OCSP Responses to be valid for up to 10 > days. The speed at which we need to distrust a log depends on the minimum number of SCTs actually, which is why allowing a single SCT in stapled OCSP responses is such a large concession. If the minimum number of SCTs were two then the pressure to distrust a log (and the pressure on the logs) would be dramatically reduced because compromising one log wouldn't be sufficient. > Do you still think [1] is a good plan? Sure, if any CAs are willing to do it now :) > How about requiring only 1 SCT for certs with durations <= the maximum > validity period for an OCSP Response? I agree that, if we're going to allow one SCT for stapled OCSP responses then we might as well allow one for 10 day certs. However, the only case where ~100 bytes makes any different is if the certificate chain is right on the edge of the initcwnd and the server cannot (somehow?) set the initcwnd. I.e. it's gone cargo cult. Cheers AGL
- [therightkey] Updated Certificate Transparency + … Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] Updated Certificate Transparenc… Wayne Thayer
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… Wayne Thayer
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… Wayne Thayer
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… Wayne Thayer
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- [therightkey] Thoughts on reducing SCT sizes (was… Rob Stradling
- Re: [therightkey] Updated Certificate Transparenc… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] EXTERNAL: Re: [cabfpub] Updated… Mehner, Carl
- Re: [therightkey] Updated Certificate Transparenc… Rob Stradling
- Re: [therightkey] Updated Certificate Transparenc… Adam Langley
- Re: [therightkey] [cabfpub] Thoughts on reducing … Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Carl Wallace
- Re: [therightkey] Updated Certificate Transparenc… Paul Hoffman
- Re: [therightkey] Updated Certificate Transparenc… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] Updated Certificate Transparenc… Paul Hoffman
- Re: [therightkey] Updated Certificate Transparenc… Rob Stradling
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] Updated Certificate Transparenc… Rick Andrews
- Re: [therightkey] Updated Certificate Transparenc… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… michal.proszkiewicz
- Re: [therightkey] Updated Certificate Transparenc… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Ben Laurie
- Re: [therightkey] Updated Certificate Transparenc… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] [cabfpub] Updated Certificate T… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] Updated Certificate Transparenc… Rick Andrews
- Re: [therightkey] [cabfpub] Updated Certificate T… Chema López González
- Re: [therightkey] Updated Certificate Transparenc… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… kirk_hall@trendmicro.com
- Re: [therightkey] [cabfpub] Thoughts on reducing … Ben Laurie
- Re: [therightkey] [cabfpub] Thoughts on reducing … Tim Moses
- Re: [therightkey] [cabfpub] Thoughts on reducing … Ben Laurie
- Re: [therightkey] [cabfpub] Thoughts on reducing … Daniel Kahn Gillmor
- Re: [therightkey] [cabfpub] Thoughts on reducing … Ben Laurie
- Re: [therightkey] [cabfpub] Thoughts on reducing … Daniel Kahn Gillmor
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] [cabfpub] Updated Certificate T… i-barreira
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] [cabfpub] Updated Certificate T… Mat Caughron
- Re: [therightkey] [cabfpub] Updated Certificate T… Mat Caughron