IETF Logo Mail Archive

Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan

"Jeremy Rowley" <jeremy.rowley@digicert.com> Tue, 04 February 2014 20:37 UTC

Return-Path: <jeremy.rowley@digicert.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D39151A011E for <therightkey@ietfa.amsl.com>; Tue, 4 Feb 2014 12:37:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.837
X-Spam-Level:
X-Spam-Status: No, score=-4.837 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.535, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SPiYp6wOAW8A for <therightkey@ietfa.amsl.com>; Tue, 4 Feb 2014 12:37:41 -0800 (PST)
Received: from mail.digicert.com (mail.digicert.com [64.78.193.232]) by ietfa.amsl.com (Postfix) with ESMTP id EE9EC1A010F for <therightkey@ietf.org>; Tue, 4 Feb 2014 12:37:40 -0800 (PST)
Received: from JROWLEYL1 (unknown [67.137.52.7]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.digicert.com (Postfix) with ESMTPSA id 73EFF7FA06B; Tue, 4 Feb 2014 13:37:40 -0700 (MST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digicert.com; s=mail; t=1391546260; bh=PgJteEySAO0wCVnRqFFabRbrjHJnCEZIWOLPlLZUJRU=; h=From:To:Cc:References:In-Reply-To:Subject:Date; b=P7MsvLPyrNuhHK6qI6QzBbTgFKmIO6AvjMilzx9/KP7Vqm440xbYc+pNIBWtxcoz5 +dHuEAH7lHN1KJvIX6epL5Wa38hvuLHm8dy286JlGYP3GUX5D4SsEFyT+BUMDXm9by WT5Z1RJV6mb949fm5GQW0Uuchf9KckRCAHQzB0Ws=
From: Jeremy Rowley <jeremy.rowley@digicert.com>
To: 'Adam Langley' <agl@chromium.org>
References: <CABrd9STwBDxwB1vtmS9Ozb5e_7D=zfOqkOBeAaT2HG7X-cw5gw@mail.gmail.com> <04a001cf21cf$3a649190$af2db4b0$@digicert.com> <01dc01cf21db$146dac40$3d4904c0$@globalsign.com> <CAL9PXLzFNCmwrQVBJKPuB8v2hSe6akT-rFku=p60PicLYH8JMA@mail.gmail.com> <05c501cf21dc$bbc70da0$335528e0$@digicert.com> <CAL9PXLxx3gNRSN7FF1T=uQv6q5qooKNjO7Q1FSsZPLmSFt9NSQ@mail.gmail.com> <063601cf21e5$2e696440$8b3c2cc0$@digicert.com> <CAL9PXLywZUgLjAABQbtVoid2wSCmR6epOgFjC5jDoA90nUnWzQ@mail.gmail.com> <066901cf21e7$2bf25ee0$83d71ca0$@digicert.com> <CAL9PXLx_5_0cc0yCYUROqM7FN6c2HR+vmkxeWBxPNf+gq0wVNw@mail.gmail.com>
In-Reply-To: <CAL9PXLx_5_0cc0yCYUROqM7FN6c2HR+vmkxeWBxPNf+gq0wVNw@mail.gmail.com>
Date: Tue, 04 Feb 2014 13:37:44 -0700
Message-ID: <069201cf21e8$f5b8c510$e12a4f30$@digicert.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGGS/IGH2GP3iOZeF9RA+GsPjuqQQF9nIx2AcGvbgECdUvoyAIXRB8jAYfEWOQBcT6DxgD34cL8ASpNQTABMq68OprGa73Q
Content-Language: en-us
Cc: 'therightkey' <therightkey@ietf.org>, 'certificate-transparency' <certificate-transparency@googlegroups.com>, 'CABFPub' <public@cabforum.org>
Subject: Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2014 20:37:43 -0000

Doesn't that simply require the cert user to either start using OCSP with an
embedded certificate or getting a new certificate from the user?  Plus,
under the current plan, the site doesn't go dark. Instead, their EV cert
isn't recognized as an EV certificate.

-----Original Message-----
From: public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] On
Behalf Of Adam Langley
Sent: Tuesday, February 04, 2014 1:32 PM
To: Jeremy Rowley
Cc: therightkey; certificate-transparency; CABFPub
Subject: Re: [cabfpub] Updated Certificate Transparency + Extended
Validation plan

On Tue, Feb 4, 2014 at 3:24 PM, Jeremy Rowley <jeremy.rowley@digicert.com>
wrote:
> What's wrong with rendering certificates invalid?  Isn't the burden on 
> the CA to ensure their customers are satisfied?  If the CA wants to 
> take the risk, let them. We'll make sure our customers 100% understand 
> the risks when deciding how many proofs to embed.

But the burden of an invalid certificate significantly falls on
users/browsers, not just on the site. If distrusting a log causes 1% of the
Internet to go dark, we essentially cannot do it. It's because of these
externalities that we're seeking these assurances.


Cheers

AGL
_______________________________________________
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

v2.23.0 | Report a Bug | By Email