Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan

"Jeremy Rowley" <jeremy.rowley@digicert.com> Wed, 05 February 2014 16:32 UTC

Return-Path: <jeremy.rowley@digicert.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C58AF1A011A for <therightkey@ietfa.amsl.com>; Wed, 5 Feb 2014 08:32:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.836
X-Spam-Level:
X-Spam-Status: No, score=-4.836 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.535, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1pG0KiStTWEP for <therightkey@ietfa.amsl.com>; Wed, 5 Feb 2014 08:32:40 -0800 (PST)
Received: from mail.digicert.com (mail.digicert.com [64.78.193.232]) by ietfa.amsl.com (Postfix) with ESMTP id 0315A1A0128 for <therightkey@ietf.org>; Wed, 5 Feb 2014 08:32:40 -0800 (PST)
Received: from JROWLEYL1 (unknown [67.137.52.7]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.digicert.com (Postfix) with ESMTPSA id 058A27FA07D; Wed, 5 Feb 2014 09:32:38 -0700 (MST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digicert.com; s=mail; t=1391617959; bh=eVhk81wstNCGfkpK5ma7XJOtAphcUmdikGaFpGMxmX4=; h=From:To:Cc:References:In-Reply-To:Subject:Date; b=m+QZac6EGeaGq5miiOL7JDf1w4YVPWJd42lcL/D5Ez/8t0/8mnH/aSWOyDPA8gR1p Swi9m/dSbwO0oL4AtD+OK+ISfy6dDaH5OuOSt5Gz6hLvIkR6Tp+mBO3YWBAoKTElOT f5KEfBhuTPe4XO52BNQC8bxcAIakT2MasaSSw//s=
From: Jeremy Rowley <jeremy.rowley@digicert.com>
To: michal.proszkiewicz@unizeto.pl, agl@chromium.org
References: <CAL9PXLzCqvBGW=Du9ZAdMXiVgcO8WJHXf+wG7EuzE2246TFEmg@mail.gmail.com> <OF51410A26.69287B04-ONC1257C76.0058AE9E-C1257C76.0059B04A@unizeto.pl>
In-Reply-To: <OF51410A26.69287B04-ONC1257C76.0058AE9E-C1257C76.0059B04A@unizeto.pl>
Date: Wed, 05 Feb 2014 09:32:36 -0700
Message-ID: <0b6a01cf228f$e58aa490$b09fedb0$@digicert.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0B6B_01CF2255.392CDE00"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQH3lqM5qG9xv6ylC8uWMtjhP1KDYZpV8bzw
Content-Language: en-us
Cc: therightkey@ietf.org, public-bounces@cabforum.org, certificate-transparency@googlegroups.com, public@cabforum.org
Subject: Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Feb 2014 16:32:43 -0000

True - short lived certs are typically not EV certs, but, as pointed out,
the eventual plan is for all certs.  We might as well make it uniform now.  

 

Anyone use a short-lived cert must be able to easily replace existing
certificates.  That, combined with the relatively low number of
certificates, minimalizes the risk of a site going dark because of a
compromised log.  

 

Jeremy

 

From: public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] On
Behalf Of michal.proszkiewicz@unizeto.pl
Sent: Wednesday, February 05, 2014 9:20 AM
To: agl@chromium.org
Cc: therightkey@ietf.org; public-bounces@cabforum.org;
certificate-transparency@googlegroups.com; public@cabforum.org
Subject: Re: [cabfpub] Updated Certificate Transparency + Extended
Validation plan

 


If we are talking about EV certificates then probably there are not many
that are valid for a 1 month. 

It may be the case for other types of certificates. For example CERTUM issue
trusted test SSL certificates valid for 30 days (standard DV verification
procedures and DV certificate profile). 

>From the other hand we give our customer possibility to manually shorten
validity period to one day if they like (for every certificate type). 

-Michał 





Adam Langley <agl@chromium.org> 
Wysłane przez: public-bounces@cabforum.org 

2014-02-05 16:40 


Do

certificate-transparency <certificate-transparency@googlegroups.com> 


DW

"therightkey@ietf.org" <therightkey@ietf.org>, CABFPub <public@cabforum.org>



Temat

Re: [cabfpub] Updated Certificate Transparency + Extended        Validation
plan

 

		




On Wed, Feb 5, 2014 at 10:26 AM, Rob Stradling <rob.stradling@comodo.com>
wrote:
> Also, what happened to the idea of only requiring 1 SCT for a 1-month
cert?

I'm to blame for that.

Certificates with a single SCT put a lower bound on how quickly we can
distrust a log (at least without special measures, such as shipping
the whole, public log hashes to all the clients, which is probably
impractical.) Since I'm not aware of any CAs issuing one month certs,
and it only saves ~100 bytes vs 2 SCTs, it seemed to be something that
should be dropped.


Cheers

AGL
_______________________________________________
Public mailing list
Public@cabforum.org
 <https://cabforum.org/mailman/listinfo/public>
https://cabforum.org/mailman/listinfo/public