Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan

Rob Stradling <rob.stradling@comodo.com> Mon, 10 February 2014 10:13 UTC

Return-Path: <rob.stradling@comodo.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AEC01A05DE for <therightkey@ietfa.amsl.com>; Mon, 10 Feb 2014 02:13:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.11
X-Spam-Level:
X-Spam-Status: No, score=0.11 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HELO_MISMATCH_NET=0.611, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Be-czQoH13vI for <therightkey@ietfa.amsl.com>; Mon, 10 Feb 2014 02:13:41 -0800 (PST)
Received: from ian.brad.office.comodo.net (eth5.brad-fw.brad.office.ccanet.co.uk [178.255.87.226]) by ietfa.amsl.com (Postfix) with ESMTP id 0E96F1A07D5 for <therightkey@ietf.org>; Mon, 10 Feb 2014 02:13:40 -0800 (PST)
Received: (qmail 8487 invoked by uid 1000); 10 Feb 2014 10:13:37 -0000
Received: from nigel.brad.office.comodo.net (HELO [192.168.0.58]) (192.168.0.58) (smtp-auth username rob, mechanism plain) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (CAMELLIA256-SHA encrypted) ESMTPSA; Mon, 10 Feb 2014 10:13:37 +0000
Message-ID: <52F8A650.6060209@comodo.com>
Date: Mon, 10 Feb 2014 10:13:36 +0000
From: Rob Stradling <rob.stradling@comodo.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.1.1
MIME-Version: 1.0
To: certificate-transparency@googlegroups.com
References: <CABrd9STwBDxwB1vtmS9Ozb5e_7D=zfOqkOBeAaT2HG7X-cw5gw@mail.gmail.com> <52F25835.60702@comodo.com> <CAL9PXLzCqvBGW=Du9ZAdMXiVgcO8WJHXf+wG7EuzE2246TFEmg@mail.gmail.com> <52F27445.6040701@comodo.com> <CAL9PXLzfatu_2LNCrCAKZWYLJArXE7+PDXswGD5fYK0byg-iJQ@mail.gmail.com> <52F2811A.9030800@comodo.com> <CABrd9SSxLCMOFv7GszzDf-xbZMYUTP6N3WSbK=8NOM=nCBy=Bg@mail.gmail.com>
In-Reply-To: <CABrd9SSxLCMOFv7GszzDf-xbZMYUTP6N3WSbK=8NOM=nCBy=Bg@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "therightkey@ietf.org" <therightkey@ietf.org>, CABFPub <public@cabforum.org>
Subject: Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Feb 2014 10:13:44 -0000

On 08/02/14 13:32, Ben Laurie wrote:
> On 5 February 2014 18:21, Rob Stradling <rob.stradling@comodo.com> wrote:
>> On 05/02/14 17:49, Adam Langley wrote:
>>>
>>> On Wed, Feb 5, 2014 at 12:26 PM, Rob Stradling <rob.stradling@comodo.com>
>>> wrote:
>>>>
>>>> Presumably it's somewhere between 10 and 31 days, since 1 SCT is
>>>> acceptable
>>>> for Stapled OCSP and the BRs permit OCSP Responses to be valid for up to
>>>> 10
>>>> days.
>>>
>>>
>>> The speed at which we need to distrust a log depends on the minimum
>>> number of SCTs actually, which is why allowing a single SCT in stapled
>>> OCSP responses is such a large concession. If the minimum number of
>>> SCTs were two then the pressure to distrust a log (and the pressure on
>>> the logs) would be dramatically reduced because compromising one log
>>> wouldn't be sufficient.
>>>
>>>> Do you still think [1] is a good plan?
>>>
>>>
>>> Sure, if any CAs are willing to do it now :)
>>
>>
>> I think "servers could just download their refreshed certificate over HTTP
>> periodically and automatically" is the showstopper at the moment. Yes they
>> could, but I'm not aware of any server that actually implements such a
>> feature.
>
> Work is under way for Apache: https://github.com/trawick/ct-httpd/.

That looks like great work, but AFAICT it's only for fetching SCTs from 
CT Logs.

I was talking about the lack of any mechanism in popular webserver 
software for automatically fetching and installing certificates from 
CAs.  In particular: a short-duration certificate that reuses the same 
public key as the previous certificate.

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online