IETF Logo Mail Archive

Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan

Carl Wallace <carl@redhoundsoftware.com> Wed, 05 February 2014 16:51 UTC

Return-Path: <carl@redhoundsoftware.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 104121A010D for <therightkey@ietfa.amsl.com>; Wed, 5 Feb 2014 08:51:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z_LDTnSAHWDj for <therightkey@ietfa.amsl.com>; Wed, 5 Feb 2014 08:51:36 -0800 (PST)
Received: from mail-qc0-f182.google.com (mail-qc0-f182.google.com [209.85.216.182]) by ietfa.amsl.com (Postfix) with ESMTP id CB2991A00E2 for <therightkey@ietf.org>; Wed, 5 Feb 2014 08:51:35 -0800 (PST)
Received: by mail-qc0-f182.google.com with SMTP id c9so1055327qcz.13 for <therightkey@ietf.org>; Wed, 05 Feb 2014 08:51:35 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version:content-type :content-transfer-encoding; bh=YSw7pySJ7HgiyIos1dDaxgEVDVKiXrJv5BoxIfQXiw4=; b=myA4bzavdBZ7uU4Cno8SP0S18Lv12avARZUK4l9imeXo3stnXYVqKxwtcN2EBjcWAE 70kRGQQav5U61TiMf160z/BnOSR97AqomDyB7U9Xc9Q/n1MqcnSeGhHRIeiQ82JiH6YH ZoF0Svg3GUNQezCnAcpk2K2yyfcb9wUym6Hs3jm3VDSulM02KQNlB+89ne7oAuo+gQIV 11JY0N4pp5xRYHohYRk5j9kFGcuOz/PabIKDYvvP4kN4tkClNwE7kwd/22tK97qoZWwa eeAXQlJI0MohX3JJ0vdGmldqhSeHgQA2m8Jyd7NuZ6QRj0hbSiXF1v3jEk2Kb13iIpPH BAcQ==
X-Gm-Message-State: ALoCoQlOnkHiyIvPNSpj5rO/go9nK6KvD+2nz8JFAzs7oxOA2CVlhuzA3JTE7Woc2d9Y/8Iy0RoS
X-Received: by 10.224.136.195 with SMTP id s3mr4185831qat.95.1391619094996; Wed, 05 Feb 2014 08:51:34 -0800 (PST)
Received: from [192.168.2.4] (pool-173-79-106-67.washdc.fios.verizon.net. [173.79.106.67]) by mx.google.com with ESMTPSA id k1sm78491788qat.16.2014.02.05.08.51.32 for <multiple recipients> (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 05 Feb 2014 08:51:34 -0800 (PST)
User-Agent: Microsoft-MacOutlook/14.3.9.131030
Date: Wed, 05 Feb 2014 11:51:29 -0500
From: Carl Wallace <carl@redhoundsoftware.com>
To: Adam Langley <agl@chromium.org>
Message-ID: <CF17D5DD.F9CC%carl@redhoundsoftware.com>
Thread-Topic: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan
References: <CABrd9STwBDxwB1vtmS9Ozb5e_7D=zfOqkOBeAaT2HG7X-cw5gw@mail.gmail.com> <04a001cf21cf$3a649190$af2db4b0$@digicert.com> <01dc01cf21db$146dac40$3d4904c0$@globalsign.com> <CAL9PXLzFNCmwrQVBJKPuB8v2hSe6akT-rFku=p60PicLYH8JMA@mail.gmail.com> <05c501cf21dc$bbc70da0$335528e0$@digicert.com> <CAL9PXLxx3gNRSN7FF1T=uQv6q5qooKNjO7Q1FSsZPLmSFt9NSQ@mail.gmail.com>
In-Reply-To: <CAL9PXLxx3gNRSN7FF1T=uQv6q5qooKNjO7Q1FSsZPLmSFt9NSQ@mail.gmail.com>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Cc: therightkey <therightkey@ietf.org>
Subject: Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Feb 2014 16:51:37 -0000

On 2/4/14, 2:41 PM, "Adam Langley" <agl@chromium.org> wrote:

>On Tue, Feb 4, 2014 at 2:10 PM, Jeremy Rowley
><jeremy.rowley@digicert.com> wrote:
>> I do not think this is correct.  The number of proofs actually
>>increases as you decrease validity periods.
>
>Consider a certificate setting out on a journey. It always needs to
>have identity papers with it because the Browser Police are always on
>the lookout for unregistered certificates. However, the Browser Police
>sometimes decide that certain forms of ID are no longer acceptable and
>so a certificate needs to carry several forms of ID with it. If it's
>setting out on a one year journey it's wise to have two forms of ID
>because one might become distrusted over the year, but it's
>vanishingly unlikely that both would be.
>
>However, if our plucky certificate is setting out on a two year
>journey then it's wise to carry three forms of ID just in case two
>become useless while it's out in the world. The longer it'll be out,
>the more forms of id it should carry to ensure that one is always
>acceptable.

This would be more clear if the section of the document that notes Chrome
will periodically refresh the list of qualifying logs also indicated the
list of formerly qualifying logs will also be updated.  You will need both
lists.

v2.23.0 | Report a Bug | By Email