Re: [therightkey] Updated Certificate Transparency + Extended Validation plan

[Rob Stradling <rob.stradling@comodo.com>]

On 05/02/14 16:55, Paul Hoffman wrote:
> On Feb 5, 2014, at 7:26 AM, Rob Stradling <rob.stradling@comodo.com> wrote:
>
>> Table 1 and Footnote 4 seem a bit confused, wrongly implying that 39-month EV certs do exist and/or that >39-month non-EV certs don't exist.
>>
>>> 27 month EV SSL certificates shouldn't exist, as per the EV Guidelines.
>>
>>> 60 month non-EV SSL certificates shouldn't have been issued by any CA since the BRs came into effect.
>>
>>> 39 month non-EV SSL certificates shouldn't be issued from 1st April 2015, as per the BRs.
>
> The above seems to be based in the belief that no one than CABForum members issue certificates. It also seems to be based on the idea that no CABForum member will ever not follow the current-at-the-time CABForum rules.
>
> The CT work seems to be based on the idea that other CAs exist, and even that CABForum members might not follow the CABForum rules. Those seem like good assumptions to me.

Paul, there are 2 things going on here.

1. The IETF CT work (i.e. RFC6962) hasn't specified anything about 
requiring multiple SCTs, and I doubt RFC6962-bis will change that.  In 
this context, other CAs do exist (both CABForum non-members and 
non-publicly-trusted CAs).

2. The Chrome CT roll-out plan.  In this context, CAs that don't adhere 
to the BRs and EVGs are likely to find that their non-compliant certs 
are rejected for other reasons.  This is the context to which I was 
speaking.

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online