Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan
Ryan Sleevi <sleevi@google.com> Tue, 04 February 2014 19:18 UTC
Return-Path: <sleevi@google.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F6101A0187 for <therightkey@ietfa.amsl.com>; Tue, 4 Feb 2014 11:18:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.913
X-Spam-Level:
X-Spam-Status: No, score=-1.913 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nen-r2k5L_7W for <therightkey@ietfa.amsl.com>; Tue, 4 Feb 2014 11:18:46 -0800 (PST)
Received: from mail-qc0-x229.google.com (mail-qc0-x229.google.com [IPv6:2607:f8b0:400d:c01::229]) by ietfa.amsl.com (Postfix) with ESMTP id 1268C1A0127 for <therightkey@ietf.org>; Tue, 4 Feb 2014 11:18:45 -0800 (PST)
Received: by mail-qc0-f169.google.com with SMTP id w7so14679437qcr.0 for <therightkey@ietf.org>; Tue, 04 Feb 2014 11:18:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=sZLZbRZz8pSBsxAHYkknJJ0RZN92k0AYfDT6hkj7PCg=; b=YJVjJ8ClwKwc8WJpxWfyD/LLgMnJwf9e9htvSK0DGsWw1kzIaJuE9wDP3bu+y/TfvP z92HFTohGirQgSwV5+80LY7fwxb8NiktETe0xjAMhPoQ3d4bSby+UBMWkvuE2d3H6kXI XsheTz9dUvsscvXC1o27PKYx10J3bSCIaeMPyJ2u+HPKLVbfmnSKBPy9CIL7+SGf5qX/ /zw3NPlB5bputG8MAJo8GolB4iO4pKlXWTSvloXeAKdNOgvB4RLAknxA96iLwlVq1XNt kEOpFGKXd9VX0+YE7sMw6bUDgjETxfabqMovVvvYsq5ANXvB+betFtEyaTLHqom0N/8y O9FA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=sZLZbRZz8pSBsxAHYkknJJ0RZN92k0AYfDT6hkj7PCg=; b=cQkmGftRLJBT7mEVt1YCp56jupZT6ZHVkHBTn5ypCdPg80TAqosUn5k7MepZ0KzQwO aBZnuhbFHlWlUrU5sry+VxR8i25LCKacLJJ15E1qRvABg0fyKsblFmD2FkG7YM2Zmzhu 6QF6pSRQ74G4mmA9Gzl3j/AmyLwGgHWM+YOtSAG0XDu9SJu7OZbc1+uNM77d08QDWEYg LExI6vtNBxVvQ4UOFyUIKyb95X7YSSoeBVxRRTluUbJ7ntRlGgWmluxG5v4XbJgD6oLF Spz6mzECgWPxRmg2t8W5TXdV9BJCfTCveIXKyUOq+YOSvfExRrPTiz40FUzw1nfmpRGt F0ew==
X-Gm-Message-State: ALoCoQkugMrE50ZSR9a09f88p7na+HEcvw+wanb7PVJJphtUfzGuh2/pW0RQ3UoqK1jsHYlzyPKzufqDNx/+QvBjXDae2lUZbCqvPquaP3rytzpLD4ZKWfiK3uOSsJOeHJwYIuIMaAnZpH4Dif322duVIIODX3N9o7S1RuXbiKzFVri5/9aa0KRfqBkCnwrDuRKjhKV9PCx9
MIME-Version: 1.0
X-Received: by 10.140.107.53 with SMTP id g50mr65428118qgf.63.1391541525427; Tue, 04 Feb 2014 11:18:45 -0800 (PST)
Received: by 10.229.154.208 with HTTP; Tue, 4 Feb 2014 11:18:45 -0800 (PST)
In-Reply-To: <05bf01cf21db$5146c2a0$f3d447e0$@digicert.com>
References: <CABrd9STwBDxwB1vtmS9Ozb5e_7D=zfOqkOBeAaT2HG7X-cw5gw@mail.gmail.com> <04a001cf21cf$3a649190$af2db4b0$@digicert.com> <CAL9PXLyWFSfHz_230SkWLvr7sUROPv_k0rfKgmkMRRttk-EjGQ@mail.gmail.com> <05bf01cf21db$5146c2a0$f3d447e0$@digicert.com>
Date: Tue, 04 Feb 2014 11:18:45 -0800
Message-ID: <CACvaWvavkyC72_b88KDbi2RBoG4zEnHPiMpeeZHmEb+adgMgTA@mail.gmail.com>
From: Ryan Sleevi <sleevi@google.com>
To: Jeremy Rowley <jeremy.rowley@digicert.com>
Content-Type: multipart/alternative; boundary="001a113a6a22504c2704f199825c"
X-Mailman-Approved-At: Fri, 07 Feb 2014 08:05:52 -0800
Cc: Adam Langley <agl@chromium.org>, certificate-transparency@googlegroups.com, CABFPub <public@cabforum.org>
Subject: Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2014 19:18:49 -0000
On Tue, Feb 4, 2014 at 11:00 AM, Jeremy Rowley <jeremy.rowley@digicert.com>wrote: > The entire point is to disclose the entire universe of public certificates > to the customer. If the customer doesn't want to use it, the purpose is no > longer being fulfilled. The way we plan on implementing CT will ensure logs > are not irrevocable. I agree we should make SCTs as small as possible, but > the last I've heard from our team is they are still at 100 bytes per log. > > Jeremy > Moving therightkey@ietf.org to bcc to avoid cross-posting. I wanted to correct a misunderstanding that I've seen repeated several times within the CA/Browser Forum, and which I've tried to correct repeatedly. No, the entire point is NOT to disclose the entire universe of public certificates to the customer. The entire point is to disclose the entire universe of public certificates __to the public__. That is, if no *customer* ever uses CT to monitor logs (an improbable and extremely unlike situation, as demonstrated by the IETF WG chartering), we will STILL see CT as a benefit to the public and as a success. This is because CT provides capabilities to allow ALL relying parties to audit public CAs. This capability extends to allowing root store operators to audit compliance to their programs. This capability extends to those who ingest root programs to examine the authorities trusted by these root programs. This allows independent third parties to monitor compliance to stated policies and practices. The current practice sees a random audit at a point in time conducted by an auditor (ETSI or WebTrust), often with a quite small percentage (3%, at most, IIRC), with the results of those audits not disclosed to any entity beyond the CA. Even if every browser program required full disclosure to the browser, this would fail to meet the goals. I want to make sure it's clear the _why_ we're requiring CT, and where the value is derived from, as suggesting the *entire* point is just for the customer misses out the significant improvements to the ecosystem. It's already clear that root store operators care about these things - as seen by Google's indexing or Microsoft's SmartScreen reporting ( http://realworldcrypto.files.wordpress.com/2013/06/shumow.pdf ). These are NOT sufficient technologies, as has been previously suggested, but they do demonstrate the increasing concern of root stores - and the interested parties such as EFF and the Certificate Observatory. CT addresses many of these holes, but only when it's required. We're happy to add CT to the list of requirements that CAs that wish to participate in our root stores and EV programs because of this, and we hope that other root store operators will follow. > > -----Original Message----- > From: therightkey [mailto:therightkey-bounces@ietf.org] On Behalf Of Adam > Langley > Sent: Tuesday, February 04, 2014 10:52 AM > To: certificate-transparency@googlegroups.com > Cc: therightkey@ietf.org; Ben Laurie; CABFPub > Subject: Re: [therightkey] [cabfpub] Updated Certificate Transparency + > Extended Validation plan > > On Tue, Feb 4, 2014 at 12:33 PM, Jeremy Rowley <jeremy.rowley@digicert.com > > > wrote: > > Three or four proofs for a 27 month certificate is way too many. The > number of proofs should be decided based on the customer's risk profile, > not > a set number based on certificate lifecycle. Adding 400 bytes per > certificate will make EV certificates unusable by entities concerned with > performance. > > The customer doesn't carry the risk: the risk is that we'll be unable to > revoke a log in clients due to the number of certificates that depend on > it. > > We should make the SCTs as small as possible, the the switch to larger > initcwnds in recent years has released much of the pressure on keeping > certificate sizes below the tradition initcwnd limit. > > > Cheers > > AGL > _______________________________________________ > therightkey mailing list > therightkey@ietf.org > https://www.ietf.org/mailman/listinfo/therightkey > > _______________________________________________ > Public mailing list > Public@cabforum.org > https://cabforum.org/mailman/listinfo/public >
- [therightkey] Updated Certificate Transparency + … Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] Updated Certificate Transparenc… Wayne Thayer
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… Wayne Thayer
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… Wayne Thayer
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… Wayne Thayer
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- [therightkey] Thoughts on reducing SCT sizes (was… Rob Stradling
- Re: [therightkey] Updated Certificate Transparenc… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] EXTERNAL: Re: [cabfpub] Updated… Mehner, Carl
- Re: [therightkey] Updated Certificate Transparenc… Rob Stradling
- Re: [therightkey] Updated Certificate Transparenc… Adam Langley
- Re: [therightkey] [cabfpub] Thoughts on reducing … Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Carl Wallace
- Re: [therightkey] Updated Certificate Transparenc… Paul Hoffman
- Re: [therightkey] Updated Certificate Transparenc… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] Updated Certificate Transparenc… Paul Hoffman
- Re: [therightkey] Updated Certificate Transparenc… Rob Stradling
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] Updated Certificate Transparenc… Rick Andrews
- Re: [therightkey] Updated Certificate Transparenc… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… michal.proszkiewicz
- Re: [therightkey] Updated Certificate Transparenc… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Ben Laurie
- Re: [therightkey] Updated Certificate Transparenc… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] [cabfpub] Updated Certificate T… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] Updated Certificate Transparenc… Rick Andrews
- Re: [therightkey] [cabfpub] Updated Certificate T… Chema López González
- Re: [therightkey] Updated Certificate Transparenc… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… kirk_hall@trendmicro.com
- Re: [therightkey] [cabfpub] Thoughts on reducing … Ben Laurie
- Re: [therightkey] [cabfpub] Thoughts on reducing … Tim Moses
- Re: [therightkey] [cabfpub] Thoughts on reducing … Ben Laurie
- Re: [therightkey] [cabfpub] Thoughts on reducing … Daniel Kahn Gillmor
- Re: [therightkey] [cabfpub] Thoughts on reducing … Ben Laurie
- Re: [therightkey] [cabfpub] Thoughts on reducing … Daniel Kahn Gillmor
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] [cabfpub] Updated Certificate T… i-barreira
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] [cabfpub] Updated Certificate T… Mat Caughron
- Re: [therightkey] [cabfpub] Updated Certificate T… Mat Caughron