IETF Logo Mail Archive

Re: [therightkey] Updated Certificate Transparency + Extended Validation plan

Adam Langley <agl@chromium.org> Thu, 06 February 2014 19:05 UTC

Return-Path: <agl@google.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 871B21A03E2 for <therightkey@ietfa.amsl.com>; Thu, 6 Feb 2014 11:05:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.914
X-Spam-Level:
X-Spam-Status: No, score=-1.914 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2J0CpBN7pTn2 for <therightkey@ietfa.amsl.com>; Thu, 6 Feb 2014 11:05:46 -0800 (PST)
Received: from mail-vc0-x22c.google.com (mail-vc0-x22c.google.com [IPv6:2607:f8b0:400c:c03::22c]) by ietfa.amsl.com (Postfix) with ESMTP id A6A251A00EA for <therightkey@ietf.org>; Thu, 6 Feb 2014 11:05:46 -0800 (PST)
Received: by mail-vc0-f172.google.com with SMTP id lf12so1793529vcb.31 for <therightkey@ietf.org>; Thu, 06 Feb 2014 11:05:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type:content-transfer-encoding; bh=CA7J8ETM8DwTkbJYC/yP87WbSf1WSxh+A2pPda7AEHc=; b=QVsy3ftZJaYnxgM7xh4ufQzGIm26RlyGzZadsxb+GM3nZSL9RxLI7tHSPtGMcqMs7Q lyIlJ529BfIz9nh0g1EehtnZKMWPc4NO44JxvXj0xGDXsblUScYfEm5CH86Ai6q2KQ9Z cyG83W4LfzpP6+SZDx/1BrC9ZkdsGcak9LPbw9eIUjzwClhELoDkUmxq+j7Fkf5sLs4B keOnCXCr8aCHq+s5XjYX4a7eUjphbUBuHM7sZJLN0/3gDs8kPJoA34UBcliqencGoFBi s3ikR/U6CqRLGo8hrD8Bx2Q8x/itbOn8OkVBxEpXc8c5QZNIQlUS+A5/aIZiQZe9wUny SLPg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type:content-transfer-encoding; bh=CA7J8ETM8DwTkbJYC/yP87WbSf1WSxh+A2pPda7AEHc=; b=Q1CQTF8kl+APVC3Xl7ENFa2fjmiBSZipPvpqNLs7DLDG7XAJfUzia1vj7IoTj3DqhB cNYr7HtEHqcQHsYx1R0P/PCol+ygohrZHB8xcmM2QWQy0wK5ZU7bwRVK05tjDJzmLXB7 1a6kn42otL4hOexC1Pxn4JhJ0H7DwFywOeGPg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=CA7J8ETM8DwTkbJYC/yP87WbSf1WSxh+A2pPda7AEHc=; b=R8dNgC//zFhTNAbiR7TGqGQwLTnXrcAlWQtO0O+YD/81aECo9QQuCVHR0VSrrDFeZw DJKdiHPC2dfIZgxpkr+KucfDdHgWKRjvTucouNtHAH96Tk4bSAYSbRvcATcmca21F+9T Wy6X5K0ZjUWAVcnXhYBRWqKXMNgcCnDwj5G75DZOEjyzoCbb0NA4CxyUOfTaRj8OF+Ie EomtLIJSAaW9e1dbNlWWrVBzR40dtpTxETVW+uyi/mL6Z/QeqTEROUnubRmZrT+0mbeA jPHrOBstFWsKiAsrAQ9PnozGO0+kKguqu6ojo5wq+eLNwsiLENc0KnVt9WDw2NR+lTzK Xnmg==
X-Gm-Message-State: ALoCoQkFChLh5k9l4mqY3QtyTt00H88gO3pX76PlGwJizyQhv2/YFXyrVXDsPEKKvCGUZQNRPOSNT0+PxyqZHNTDdj+TJf5v1Ndh3xjW8pSmORG2+jTKWGj52pvO8MR7F6RF0FeLKX0D72dGb4tF+oAWLHV8N/lpi3eJ1sO3BQttE6IKHpqzA0Zf1lIRJ+1ypp4wC7n8q8Xb
X-Received: by 10.58.235.129 with SMTP id um1mr7102459vec.17.1391713545225; Thu, 06 Feb 2014 11:05:45 -0800 (PST)
MIME-Version: 1.0
Sender: agl@google.com
Received: by 10.52.104.37 with HTTP; Thu, 6 Feb 2014 11:05:25 -0800 (PST)
In-Reply-To: <544B0DD62A64C1448B2DA253C011414607C3F53600@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM>
References: <CABrd9STwBDxwB1vtmS9Ozb5e_7D=zfOqkOBeAaT2HG7X-cw5gw@mail.gmail.com> <544B0DD62A64C1448B2DA253C011414607C3F53600@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM>
From: Adam Langley <agl@chromium.org>
Date: Thu, 06 Feb 2014 14:05:25 -0500
X-Google-Sender-Auth: v77p211SFmDPT6bcg5hvTOT0j_A
Message-ID: <CAL9PXLwesT0=Q_YFXyfqDGGMZdD0XtZEkCvGUTrV9zkgQQ4=kg@mail.gmail.com>
To: certificate-transparency <certificate-transparency@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: "therightkey@ietf.org" <therightkey@ietf.org>, Ben Laurie <benl@google.com>, CABFPub <public@cabforum.org>
Subject: Re: [therightkey] Updated Certificate Transparency + Extended Validation plan
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2014 19:05:48 -0000

On Thu, Feb 6, 2014 at 1:51 PM, Rick Andrews <Rick_Andrews@symantec.com> wrote:
> Can you clarify something? The SCT delivery options described in the RFC are options for the web site owner, not for the CA. CAs will need to support all three options. We will have customers who won’t do stapling and can’t handle TLS extensions, so they just want the SCTs embedded in the cert. But not all customers will prefer that option. I believe other customers will want the SCT-in-the-OCSP-response or TLS extension option, because in those options you don’t have to transmit the SCTs in every SSL handshake. I suspect some of our large customers who are obsessed with performance will demand one of these options.
>
> So CAs will need to support all three options, unless you’re so small a CA that your few EV customers agree on one option. Is that your expectation?

SCTs embedded in the certificate won't be sent for resumption
handshakes of course.

The TLS extension will be sent in the same cases as SCTs embedded in
the certificate. (And the TLS extension doesn't need the CA to do
anything.)

The stapled OCSP response is likely to be sent in the same cases also.
One could imagine a client that doesn't request a stapled OCSP
response when it has a cached OCSP response for the certificate that
it saw from the server last time. But, if the server responds with a
different certificate it's stuck. So I expect clients to always
request the OCSP staple.

So a CA only really need worry about the embedded case. Customers who
are concerned about the performance impact of a few hundred extra
bytes very likely have much easier avenues to reduce the size, like
having different certs for different names rather than dozens of SANs.


Cheers

AGL

v2.23.0 | Report a Bug | By Email