Re: [therightkey] Updated Certificate Transparency + Extended Validation plan
Adam Langley <agl@chromium.org> Thu, 06 February 2014 19:05 UTC
Return-Path: <agl@google.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 871B21A03E2 for <therightkey@ietfa.amsl.com>; Thu, 6 Feb 2014 11:05:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.914
X-Spam-Level:
X-Spam-Status: No, score=-1.914 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2J0CpBN7pTn2 for <therightkey@ietfa.amsl.com>; Thu, 6 Feb 2014 11:05:46 -0800 (PST)
Received: from mail-vc0-x22c.google.com (mail-vc0-x22c.google.com [IPv6:2607:f8b0:400c:c03::22c]) by ietfa.amsl.com (Postfix) with ESMTP id A6A251A00EA for <therightkey@ietf.org>; Thu, 6 Feb 2014 11:05:46 -0800 (PST)
Received: by mail-vc0-f172.google.com with SMTP id lf12so1793529vcb.31 for <therightkey@ietf.org>; Thu, 06 Feb 2014 11:05:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type:content-transfer-encoding; bh=CA7J8ETM8DwTkbJYC/yP87WbSf1WSxh+A2pPda7AEHc=; b=QVsy3ftZJaYnxgM7xh4ufQzGIm26RlyGzZadsxb+GM3nZSL9RxLI7tHSPtGMcqMs7Q lyIlJ529BfIz9nh0g1EehtnZKMWPc4NO44JxvXj0xGDXsblUScYfEm5CH86Ai6q2KQ9Z cyG83W4LfzpP6+SZDx/1BrC9ZkdsGcak9LPbw9eIUjzwClhELoDkUmxq+j7Fkf5sLs4B keOnCXCr8aCHq+s5XjYX4a7eUjphbUBuHM7sZJLN0/3gDs8kPJoA34UBcliqencGoFBi s3ikR/U6CqRLGo8hrD8Bx2Q8x/itbOn8OkVBxEpXc8c5QZNIQlUS+A5/aIZiQZe9wUny SLPg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type:content-transfer-encoding; bh=CA7J8ETM8DwTkbJYC/yP87WbSf1WSxh+A2pPda7AEHc=; b=Q1CQTF8kl+APVC3Xl7ENFa2fjmiBSZipPvpqNLs7DLDG7XAJfUzia1vj7IoTj3DqhB cNYr7HtEHqcQHsYx1R0P/PCol+ygohrZHB8xcmM2QWQy0wK5ZU7bwRVK05tjDJzmLXB7 1a6kn42otL4hOexC1Pxn4JhJ0H7DwFywOeGPg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=CA7J8ETM8DwTkbJYC/yP87WbSf1WSxh+A2pPda7AEHc=; b=R8dNgC//zFhTNAbiR7TGqGQwLTnXrcAlWQtO0O+YD/81aECo9QQuCVHR0VSrrDFeZw DJKdiHPC2dfIZgxpkr+KucfDdHgWKRjvTucouNtHAH96Tk4bSAYSbRvcATcmca21F+9T Wy6X5K0ZjUWAVcnXhYBRWqKXMNgcCnDwj5G75DZOEjyzoCbb0NA4CxyUOfTaRj8OF+Ie EomtLIJSAaW9e1dbNlWWrVBzR40dtpTxETVW+uyi/mL6Z/QeqTEROUnubRmZrT+0mbeA jPHrOBstFWsKiAsrAQ9PnozGO0+kKguqu6ojo5wq+eLNwsiLENc0KnVt9WDw2NR+lTzK Xnmg==
X-Gm-Message-State: ALoCoQkFChLh5k9l4mqY3QtyTt00H88gO3pX76PlGwJizyQhv2/YFXyrVXDsPEKKvCGUZQNRPOSNT0+PxyqZHNTDdj+TJf5v1Ndh3xjW8pSmORG2+jTKWGj52pvO8MR7F6RF0FeLKX0D72dGb4tF+oAWLHV8N/lpi3eJ1sO3BQttE6IKHpqzA0Zf1lIRJ+1ypp4wC7n8q8Xb
X-Received: by 10.58.235.129 with SMTP id um1mr7102459vec.17.1391713545225; Thu, 06 Feb 2014 11:05:45 -0800 (PST)
MIME-Version: 1.0
Sender: agl@google.com
Received: by 10.52.104.37 with HTTP; Thu, 6 Feb 2014 11:05:25 -0800 (PST)
In-Reply-To: <544B0DD62A64C1448B2DA253C011414607C3F53600@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM>
References: <CABrd9STwBDxwB1vtmS9Ozb5e_7D=zfOqkOBeAaT2HG7X-cw5gw@mail.gmail.com> <544B0DD62A64C1448B2DA253C011414607C3F53600@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM>
From: Adam Langley <agl@chromium.org>
Date: Thu, 06 Feb 2014 14:05:25 -0500
X-Google-Sender-Auth: v77p211SFmDPT6bcg5hvTOT0j_A
Message-ID: <CAL9PXLwesT0=Q_YFXyfqDGGMZdD0XtZEkCvGUTrV9zkgQQ4=kg@mail.gmail.com>
To: certificate-transparency <certificate-transparency@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: "therightkey@ietf.org" <therightkey@ietf.org>, Ben Laurie <benl@google.com>, CABFPub <public@cabforum.org>
Subject: Re: [therightkey] Updated Certificate Transparency + Extended Validation plan
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2014 19:05:48 -0000
On Thu, Feb 6, 2014 at 1:51 PM, Rick Andrews <Rick_Andrews@symantec.com> wrote: > Can you clarify something? The SCT delivery options described in the RFC are options for the web site owner, not for the CA. CAs will need to support all three options. We will have customers who won’t do stapling and can’t handle TLS extensions, so they just want the SCTs embedded in the cert. But not all customers will prefer that option. I believe other customers will want the SCT-in-the-OCSP-response or TLS extension option, because in those options you don’t have to transmit the SCTs in every SSL handshake. I suspect some of our large customers who are obsessed with performance will demand one of these options. > > So CAs will need to support all three options, unless you’re so small a CA that your few EV customers agree on one option. Is that your expectation? SCTs embedded in the certificate won't be sent for resumption handshakes of course. The TLS extension will be sent in the same cases as SCTs embedded in the certificate. (And the TLS extension doesn't need the CA to do anything.) The stapled OCSP response is likely to be sent in the same cases also. One could imagine a client that doesn't request a stapled OCSP response when it has a cached OCSP response for the certificate that it saw from the server last time. But, if the server responds with a different certificate it's stuck. So I expect clients to always request the OCSP staple. So a CA only really need worry about the embedded case. Customers who are concerned about the performance impact of a few hundred extra bytes very likely have much easier avenues to reduce the size, like having different certs for different names rather than dozens of SANs. Cheers AGL
- [therightkey] Updated Certificate Transparency + … Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] Updated Certificate Transparenc… Wayne Thayer
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… Wayne Thayer
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… Wayne Thayer
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… Wayne Thayer
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- [therightkey] Thoughts on reducing SCT sizes (was… Rob Stradling
- Re: [therightkey] Updated Certificate Transparenc… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] EXTERNAL: Re: [cabfpub] Updated… Mehner, Carl
- Re: [therightkey] Updated Certificate Transparenc… Rob Stradling
- Re: [therightkey] Updated Certificate Transparenc… Adam Langley
- Re: [therightkey] [cabfpub] Thoughts on reducing … Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Carl Wallace
- Re: [therightkey] Updated Certificate Transparenc… Paul Hoffman
- Re: [therightkey] Updated Certificate Transparenc… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] Updated Certificate Transparenc… Paul Hoffman
- Re: [therightkey] Updated Certificate Transparenc… Rob Stradling
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] Updated Certificate Transparenc… Rick Andrews
- Re: [therightkey] Updated Certificate Transparenc… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… michal.proszkiewicz
- Re: [therightkey] Updated Certificate Transparenc… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Ben Laurie
- Re: [therightkey] Updated Certificate Transparenc… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] [cabfpub] Updated Certificate T… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] Updated Certificate Transparenc… Rick Andrews
- Re: [therightkey] [cabfpub] Updated Certificate T… Chema López González
- Re: [therightkey] Updated Certificate Transparenc… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… kirk_hall@trendmicro.com
- Re: [therightkey] [cabfpub] Thoughts on reducing … Ben Laurie
- Re: [therightkey] [cabfpub] Thoughts on reducing … Tim Moses
- Re: [therightkey] [cabfpub] Thoughts on reducing … Ben Laurie
- Re: [therightkey] [cabfpub] Thoughts on reducing … Daniel Kahn Gillmor
- Re: [therightkey] [cabfpub] Thoughts on reducing … Ben Laurie
- Re: [therightkey] [cabfpub] Thoughts on reducing … Daniel Kahn Gillmor
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] [cabfpub] Updated Certificate T… i-barreira
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] [cabfpub] Updated Certificate T… Mat Caughron
- Re: [therightkey] [cabfpub] Updated Certificate T… Mat Caughron