IETF Logo Mail Archive

Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan

Adam Langley <agl@chromium.org> Wed, 05 February 2014 17:49 UTC

Return-Path: <agl@google.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFB431A020C for <therightkey@ietfa.amsl.com>; Wed, 5 Feb 2014 09:49:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.914
X-Spam-Level:
X-Spam-Status: No, score=-1.914 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QrpcnJ-zKEN8 for <therightkey@ietfa.amsl.com>; Wed, 5 Feb 2014 09:49:42 -0800 (PST)
Received: from mail-vb0-x22c.google.com (mail-vb0-x22c.google.com [IPv6:2607:f8b0:400c:c02::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 4F4451A020B for <therightkey@ietf.org>; Wed, 5 Feb 2014 09:49:42 -0800 (PST)
Received: by mail-vb0-f44.google.com with SMTP id f12so554538vbg.31 for <therightkey@ietf.org>; Wed, 05 Feb 2014 09:49:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=KyFfsh2IxGwi323hvcMFbKb7rcLu55g4kD4BF8AMOOA=; b=hSH07WdiOeBXU5Y72cYykiM4a1y+41Sowi0VMfjbuv4xSrRQ1SrD3RttrkhqIJkh3k +ibavDd/3cqpI4jxrAtisY73M6Q8pQyLEfE4QqHb0chyJ1sg6kPFVpuSbYtrNAfWgvJ+ NXK7JVkULHbG0fCmBrB5Pu1796P03FCOrVmMxZee4VH3pL5vx3zoE9bcuJDUhcrVxP5n OgDrmmrFmKKnW3C4CvYTO79tK0+3SqwK94zrh4dLVaLjjDCsC5hN7CiPS8kqnjNT8RV3 C0KnsZDAluRLMRhMtdAWH6VjPaUa2ZsNe5rUql2xbIB2ta6hB4mbGp/q0WSQwBjy7/bc NiIQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=KyFfsh2IxGwi323hvcMFbKb7rcLu55g4kD4BF8AMOOA=; b=fhNhAFxw6KatA6jicqIExlFhfSZxetJdL7Jcs4fSJEgyO5BoZfK9HoH+FMurX23fAA to89ZXpjuIjiZh2XCKq10fZzu/zsbLSsBIXm2WEhmbvdNxECAw3zVWRyUJbfBK7fqfUc m2hFLKwDBNwOLtpTycSzfigDqDM1IdAS9Ukh0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-type; bh=KyFfsh2IxGwi323hvcMFbKb7rcLu55g4kD4BF8AMOOA=; b=O/udXVUaidPaoDQwCuUCVlTjPjsOVFf9wos2XJYF+NNgeQT/lIPEn5SeCqubDHznYF 6T25y4jW+Czwbvj33qc8ttolp07ldE2l9KX8thMs5DnHa7y74U6qHwj8DsxyQBe1sFky jnq3FOXzanM0OAhI2ImOEyMBb473jncD7KgdUvJ6h1pD3fkW7kTwOB4mCOqh1yqQEONR SbiDrZvtbXFqZkY2n4WlxAOto4ZUL0EYDcuWR34JVSC9W7/Bl0Qt9cG53KZ0uBHPWvfT dRc+xuqu2wbMEtpNtgyo1wsePoWXh3/QLWhxbBDf0/GH/pPAEhacCw8tmb3fIQAf926m o/lg==
X-Gm-Message-State: ALoCoQk0mWxLzS5Ll56PqTMQMphD2GMnUnJqba9OqvELAILzvgkQRW49SXV01qH8oSiffAYaWBBkebr0NtGa7pwrMpu4qgV/yr3WacGVT3AQKIawvwdaeGAihXi0X7jKzGUNa52HRJBS0gSBPj9OxIMKmVwkVkM7MuaQIbt5mfOs+fztW9CLTMA4e9wUMaVC3E0Jhyv70iG3
X-Received: by 10.221.40.10 with SMTP id to10mr1838154vcb.22.1391622581354; Wed, 05 Feb 2014 09:49:41 -0800 (PST)
MIME-Version: 1.0
Sender: agl@google.com
Received: by 10.52.104.37 with HTTP; Wed, 5 Feb 2014 09:49:21 -0800 (PST)
In-Reply-To: <52F27445.6040701@comodo.com>
References: <CABrd9STwBDxwB1vtmS9Ozb5e_7D=zfOqkOBeAaT2HG7X-cw5gw@mail.gmail.com> <52F25835.60702@comodo.com> <CAL9PXLzCqvBGW=Du9ZAdMXiVgcO8WJHXf+wG7EuzE2246TFEmg@mail.gmail.com> <52F27445.6040701@comodo.com>
From: Adam Langley <agl@chromium.org>
Date: Wed, 05 Feb 2014 12:49:21 -0500
X-Google-Sender-Auth: WxsQ90hrCMLUQjUqro41rZfq00E
Message-ID: <CAL9PXLzfatu_2LNCrCAKZWYLJArXE7+PDXswGD5fYK0byg-iJQ@mail.gmail.com>
To: certificate-transparency <certificate-transparency@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"
Cc: "therightkey@ietf.org" <therightkey@ietf.org>, CABFPub <public@cabforum.org>
Subject: Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Feb 2014 17:49:44 -0000

On Wed, Feb 5, 2014 at 12:26 PM, Rob Stradling <rob.stradling@comodo.com> wrote:
> Presumably it's somewhere between 10 and 31 days, since 1 SCT is acceptable
> for Stapled OCSP and the BRs permit OCSP Responses to be valid for up to 10
> days.

The speed at which we need to distrust a log depends on the minimum
number of SCTs actually, which is why allowing a single SCT in stapled
OCSP responses is such a large concession. If the minimum number of
SCTs were two then the pressure to distrust a log (and the pressure on
the logs) would be dramatically reduced because compromising one log
wouldn't be sufficient.

> Do you still think [1] is a good plan?

Sure, if any CAs are willing to do it now :)

> How about requiring only 1 SCT for certs with durations <= the maximum
> validity period for an OCSP Response?

I agree that, if we're going to allow one SCT for stapled OCSP
responses then we might as well allow one for 10 day certs.

However, the only case where ~100 bytes makes any different is if the
certificate chain is right on the edge of the initcwnd and the server
cannot (somehow?) set the initcwnd. I.e. it's gone cargo cult.


Cheers

AGL

v2.23.0 | Report a Bug | By Email