Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan

"Jeremy Rowley" <jeremy.rowley@digicert.com> Wed, 05 February 2014 16:29 UTC

Return-Path: <jeremy.rowley@digicert.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B59581A00EE for <therightkey@ietfa.amsl.com>; Wed, 5 Feb 2014 08:29:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.837
X-Spam-Level:
X-Spam-Status: No, score=-4.837 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.535, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3aeuA24kCgS2 for <therightkey@ietfa.amsl.com>; Wed, 5 Feb 2014 08:29:50 -0800 (PST)
Received: from mail.digicert.com (mail.digicert.com [64.78.193.232]) by ietfa.amsl.com (Postfix) with ESMTP id 29B521A0119 for <therightkey@ietf.org>; Wed, 5 Feb 2014 08:29:50 -0800 (PST)
Received: from JROWLEYL1 (unknown [67.137.52.7]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.digicert.com (Postfix) with ESMTPSA id 60EBBAE309; Wed, 5 Feb 2014 09:29:49 -0700 (MST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digicert.com; s=mail; t=1391617789; bh=tVNt3Lr88vLMnq6alwUOF+wvkKMpf0El8/e1oKv7utg=; h=From:To:Cc:References:In-Reply-To:Subject:Date; b=QDhpum4cPsUz0LgQ4lKxkmaA3aPf0yw9JTUXx6Q9beDV6ZKCJNumeYwqcX8iNF7wX zLualaZ7RrkPsD/+VSeuHF8bu+e+rF6Bg0zPVBesdvlK7aYnsnfIiMeXFCjnNf3VA/ DrksLKGkL0KBgJ37dRB3NPKDx3fLZzuorkvNPdvo=
From: Jeremy Rowley <jeremy.rowley@digicert.com>
To: 'Adam Langley' <agl@chromium.org>, 'certificate-transparency' <certificate-transparency@googlegroups.com>
References: <CABrd9STwBDxwB1vtmS9Ozb5e_7D=zfOqkOBeAaT2HG7X-cw5gw@mail.gmail.com> <52F25835.60702@comodo.com> <CAL9PXLzCqvBGW=Du9ZAdMXiVgcO8WJHXf+wG7EuzE2246TFEmg@mail.gmail.com>
In-Reply-To: <CAL9PXLzCqvBGW=Du9ZAdMXiVgcO8WJHXf+wG7EuzE2246TFEmg@mail.gmail.com>
Date: Wed, 05 Feb 2014 09:29:44 -0700
Message-ID: <0b6601cf228f$805d0040$811700c0$@digicert.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGGS/IGH2GP3iOZeF9RA+GsPjuqQQMYIoXUAMQ1K+ybGaPEQA==
Content-Language: en-us
Cc: therightkey@ietf.org, 'CABFPub' <public@cabforum.org>
Subject: Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Feb 2014 16:29:51 -0000

We've issued one month certs before. We would have used shorter certs if the
CAB Forum had relaxed the OCSP requirements.  Since these are supposed to be
extremely streamlined, one SCT would be great.  

Jeremy

-----Original Message-----
From: public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] On
Behalf Of Adam Langley
Sent: Wednesday, February 05, 2014 8:40 AM
To: certificate-transparency
Cc: therightkey@ietf.org; CABFPub
Subject: Re: [cabfpub] Updated Certificate Transparency + Extended
Validation plan

On Wed, Feb 5, 2014 at 10:26 AM, Rob Stradling <rob.stradling@comodo.com>
wrote:
> Also, what happened to the idea of only requiring 1 SCT for a 1-month
cert?

I'm to blame for that.

Certificates with a single SCT put a lower bound on how quickly we can
distrust a log (at least without special measures, such as shipping the
whole, public log hashes to all the clients, which is probably
impractical.) Since I'm not aware of any CAs issuing one month certs, and it
only saves ~100 bytes vs 2 SCTs, it seemed to be something that should be
dropped.


Cheers

AGL
_______________________________________________
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public