IETF Logo Mail Archive

Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan

Adam Langley <agl@chromium.org> Tue, 04 February 2014 20:50 UTC

Return-Path: <agl@google.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 512FC1A012C for <therightkey@ietfa.amsl.com>; Tue, 4 Feb 2014 12:50:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.914
X-Spam-Level:
X-Spam-Status: No, score=-1.914 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pG6BDSQlgxFR for <therightkey@ietfa.amsl.com>; Tue, 4 Feb 2014 12:50:54 -0800 (PST)
Received: from mail-vb0-x22a.google.com (mail-vb0-x22a.google.com [IPv6:2607:f8b0:400c:c02::22a]) by ietfa.amsl.com (Postfix) with ESMTP id B11D51A010F for <therightkey@ietf.org>; Tue, 4 Feb 2014 12:50:54 -0800 (PST)
Received: by mail-vb0-f42.google.com with SMTP id i3so6283388vbh.29 for <therightkey@ietf.org>; Tue, 04 Feb 2014 12:50:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=iU2WWIZKT8yPskyYq6SpBrCPIbLjt3aXS07ey+fqFzU=; b=T3IIV1gVDhN1JAGu2l89oAmIiarokJRICWSwKk75H/I4k+GEV12j/cWzTBa2CZEg9p 640bIB8m+cK1FThUPlyKabx9qJ6C+yAc1iY14HMhqTCW+SX48aF17IE7GlN0I1/CHbU1 aoN+5eMLCo2urPkboL4QG8S+Iu73CmPxxJOZ7J20x351Kmd5OuT+xTD6U0fR+VY1tODb GCSEj+0btiTbhpQQLg2a2w7eFIRTlJFO5J7yOJs3mMrnIVOWcpkvC4sULxEyOZcnr/35 1TJhSSHqHqQJQ0eu2zEmhuVyexPb4i7EYIib6BqamODu9mS4a37F/XIKbaw5yXh1qkvC DFrw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=iU2WWIZKT8yPskyYq6SpBrCPIbLjt3aXS07ey+fqFzU=; b=gu44s0cOOf1hXbDVvccZJ/fSfpgQGEi+h+EHe51Ajg1i55yvYACLivMCGh4z35GWHk Pem3soVJlhWcsDokVpCWYnGEaYS9a5b6xSy4N2DdAwaHYiQw5wc/s86g6oH6TxNgdpFA r0yUNcBoGDh2whb7ex6Gm0mRgsOIa9mRmlFbE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-type; bh=iU2WWIZKT8yPskyYq6SpBrCPIbLjt3aXS07ey+fqFzU=; b=ldMDLvsyYteSgwjWoNe10i7pklOBIsOJXXGU4vKRxYvNIKM3r/ZJ6Vv3FVU4tOCmeF greTQYrkC0LchJRlKWcMMHWysNcaaW0QHOQZcSzYHkshtr14qail4saIfp6s5dNUqxjQ kyyZNczz8T9odR4uR6BUpe06eBR6SF5t1V+h3xuQCaPTK80fUowgCVJjfudAyJOCIfOu q2tWV6eQZuR2Uzmc4G5HHm3GwlPhNmfI4mNlwRSlBABvG05p8cPbwQMMWlOKnyjwu1hr D1cDPDhg8qU0/q7TQjcQYW2SqoxEvRO1SfvUVcsxCorRS01mE76pVm+jr0wGGtb9efWQ fBJA==
X-Gm-Message-State: ALoCoQnLfgCYIpmlbibmN9gF9r8wycA8dTs7XWqwiCOKDQ8hdyB8AwGMVMVYCgjUrtcRbnnQrcufTce7saHG+INRa6Se/YGPUgjXmdC3qwWn2dyeCl+6bRPTuQmXL/wIAPzgHh4V0gotifhT1bEiGvHNOyQFt8fCgdOsDdF25wJ8VovyXMjt+dSBo2tnDisHcEdT0fyzTTeY
X-Received: by 10.58.85.133 with SMTP id h5mr34003343vez.4.1391547053920; Tue, 04 Feb 2014 12:50:53 -0800 (PST)
MIME-Version: 1.0
Sender: agl@google.com
Received: by 10.52.104.37 with HTTP; Tue, 4 Feb 2014 12:50:33 -0800 (PST)
In-Reply-To: <069201cf21e8$f5b8c510$e12a4f30$@digicert.com>
References: <CABrd9STwBDxwB1vtmS9Ozb5e_7D=zfOqkOBeAaT2HG7X-cw5gw@mail.gmail.com> <04a001cf21cf$3a649190$af2db4b0$@digicert.com> <01dc01cf21db$146dac40$3d4904c0$@globalsign.com> <CAL9PXLzFNCmwrQVBJKPuB8v2hSe6akT-rFku=p60PicLYH8JMA@mail.gmail.com> <05c501cf21dc$bbc70da0$335528e0$@digicert.com> <CAL9PXLxx3gNRSN7FF1T=uQv6q5qooKNjO7Q1FSsZPLmSFt9NSQ@mail.gmail.com> <063601cf21e5$2e696440$8b3c2cc0$@digicert.com> <CAL9PXLywZUgLjAABQbtVoid2wSCmR6epOgFjC5jDoA90nUnWzQ@mail.gmail.com> <066901cf21e7$2bf25ee0$83d71ca0$@digicert.com> <CAL9PXLx_5_0cc0yCYUROqM7FN6c2HR+vmkxeWBxPNf+gq0wVNw@mail.gmail.com> <069201cf21e8$f5b8c510$e12a4f30$@digicert.com>
From: Adam Langley <agl@chromium.org>
Date: Tue, 04 Feb 2014 15:50:33 -0500
X-Google-Sender-Auth: rcUjx0dd1wjWfoUINhOf1YEn61s
Message-ID: <CAL9PXLzKqwNavow6Vhm9FBD_9U_PepNSxfRZfQv7=r7vDeb07w@mail.gmail.com>
To: certificate-transparency <certificate-transparency@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"
Cc: therightkey <therightkey@ietf.org>, CABFPub <public@cabforum.org>
Subject: Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2014 20:50:56 -0000

On Tue, Feb 4, 2014 at 3:37 PM, Jeremy Rowley
<jeremy.rowley@digicert.com> wrote:
> Doesn't that simply require the cert user to either start using OCSP with an
> embedded certificate or getting a new certificate from the user?

If the certificate was used with OCSP stapling, the CA had a
reasonably short OCSP validity window and the CA could update the SCT
in the OCSP response quickly then that would solve the problem.

However, for the purposes of this spec I don't think we said anything
about that because of the complexity. Having multiple SCTs is clearly
ok and that kept things simple.

> Plus, under the current plan, the site doesn't go dark. Instead, their EV cert isn't recognized as an EV certificate.

For EV certificates the problem is greatly reduced. But EV
certificates are just a trial for doing it universally and we have the
end state in mind.


Cheers

AGL

v2.23.0 | Report a Bug | By Email