Re: [therightkey] Updated Certificate Transparency + Extended Validation plan

Adam Langley <agl@chromium.org> Wed, 05 February 2014 15:40 UTC

Return-Path: <agl@google.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 476DA1A01AF for <therightkey@ietfa.amsl.com>; Wed, 5 Feb 2014 07:40:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.914
X-Spam-Level:
X-Spam-Status: No, score=-1.914 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BQm3zU_y41-Y for <therightkey@ietfa.amsl.com>; Wed, 5 Feb 2014 07:40:11 -0800 (PST)
Received: from mail-vb0-x235.google.com (mail-vb0-x235.google.com [IPv6:2607:f8b0:400c:c02::235]) by ietfa.amsl.com (Postfix) with ESMTP id 89DC81A0192 for <therightkey@ietf.org>; Wed, 5 Feb 2014 07:40:11 -0800 (PST)
Received: by mail-vb0-f53.google.com with SMTP id p17so405077vbe.26 for <therightkey@ietf.org>; Wed, 05 Feb 2014 07:40:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=UYIs/mirxWiCI2VOjALiVBRBL/ASuTCdXDbDt6dVNRE=; b=iwNr5vYOLUnua339P9CkjcQSuuLtd+ByWMOTidCGjFXc+P77iibGGXRvfRcwGP0b6b i/gMs+P0vvfnGQP8xsx9L3KjrCccSwk0bWH2JDRzoS4shiBfe5J5zffq6OTmvJFfNajO N3UaI8ZOwQ2i+kJfCI8SXf0gpznHH4Q7jidXcR9gGDqhfKSuHtwiEbC8AiWS3074OPut 5QMQYf1ZU38MPedNLX+JBJaVfPF2RqPFutytWS2pUnYx67CzimaYRtj6n5KBVa9xQZiW CfmF0vWFO0sDXoQyTscQlMwS2wGMLy7HVtBGaDcUCZzMJIUrlpawFBYkDQHwEUwu8Sdk aj3A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=UYIs/mirxWiCI2VOjALiVBRBL/ASuTCdXDbDt6dVNRE=; b=RFdeWBbU9maF/kXToxOwssTbDoqC52WjKUKf3BJaSnPBcfDcc9HUC9WFxOu1h8Mfci EVIj4SLY3gEErIlKy/54VcdJ4Vf/yGQinTmCDyPKAF05d3gCvm7vQLbt9Eap+ZPil2Km RmMTR5N8gbJ1WdcZor30CdjMssSnmUoN87bwU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-type; bh=UYIs/mirxWiCI2VOjALiVBRBL/ASuTCdXDbDt6dVNRE=; b=ElpRPsvw9Iwehk5OUCCWSqCgPM5C6KxmvzKIVlPWSxbxiRD0vEpzQDaEynLw0R4om/ Uf0vizfyYCG5bBfx3Rma7er78SjGx4QOQQ6o7E8se9GZViSXojSNaY+lU8txshfFXkps 5M2gETI8N1uRccoK7+nrxjmJ/CsiiNfKdRxeQM/1Sdl09kfhuHokfM2znGi+gFfUB/1g NhRu2AmnkpIYQ/IZW0gHvyqNg79lignwiNO+oXNifyNGKD4r5zv6Wv6Qh1achDlVaa6/ r+pdAoPs7xCFC4cnw4DngGkRYg11CDgDsiZ6AUaMOcCt2UBwW7Bau4HHX4j4oFG5cGP2 eBVg==
X-Gm-Message-State: ALoCoQmQxvxT4KwXpgvay48pmz+z2HNrWvW8CXPdWF+rRXhpCEzpC+15QaK8t/dw6dfeLh3W4UrCUOCT+uO+G3vVtkXGR6+8o696daPZkvpTHaS8lI+VYwo0ll5+J26GH10O5arJbSB79Owx0rRKdwyDl79Ej+ErY0lllu07xBf8iHWFVx1PBHv9pPx1KTmwVP+cmIzwPH5b
X-Received: by 10.58.123.70 with SMTP id ly6mr1470896veb.26.1391614810670; Wed, 05 Feb 2014 07:40:10 -0800 (PST)
MIME-Version: 1.0
Sender: agl@google.com
Received: by 10.52.104.37 with HTTP; Wed, 5 Feb 2014 07:39:49 -0800 (PST)
In-Reply-To: <52F25835.60702@comodo.com>
References: <CABrd9STwBDxwB1vtmS9Ozb5e_7D=zfOqkOBeAaT2HG7X-cw5gw@mail.gmail.com> <52F25835.60702@comodo.com>
From: Adam Langley <agl@chromium.org>
Date: Wed, 05 Feb 2014 10:39:49 -0500
X-Google-Sender-Auth: FEWZjBCL_cqzaM2x0hHG0a0WJgM
Message-ID: <CAL9PXLzCqvBGW=Du9ZAdMXiVgcO8WJHXf+wG7EuzE2246TFEmg@mail.gmail.com>
To: certificate-transparency <certificate-transparency@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"
Cc: "therightkey@ietf.org" <therightkey@ietf.org>, Ben Laurie <benl@google.com>, CABFPub <public@cabforum.org>
Subject: Re: [therightkey] Updated Certificate Transparency + Extended Validation plan
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Feb 2014 15:40:13 -0000

On Wed, Feb 5, 2014 at 10:26 AM, Rob Stradling <rob.stradling@comodo.com> wrote:
> Also, what happened to the idea of only requiring 1 SCT for a 1-month cert?

I'm to blame for that.

Certificates with a single SCT put a lower bound on how quickly we can
distrust a log (at least without special measures, such as shipping
the whole, public log hashes to all the clients, which is probably
impractical.) Since I'm not aware of any CAs issuing one month certs,
and it only saves ~100 bytes vs 2 SCTs, it seemed to be something that
should be dropped.


Cheers

AGL