Re: [therightkey] Fwd: Improving EV Certificate Security
Ben Laurie <benl@google.com> Thu, 26 September 2013 14:37 UTC
Return-Path: <benl@google.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 983C711E80D7 for <therightkey@ietfa.amsl.com>; Thu, 26 Sep 2013 07:37:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pzPjGqhRqCF8 for <therightkey@ietfa.amsl.com>; Thu, 26 Sep 2013 07:37:01 -0700 (PDT)
Received: from mail-ie0-x22f.google.com (mail-ie0-x22f.google.com [IPv6:2607:f8b0:4001:c03::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 65A9411E810A for <therightkey@ietf.org>; Thu, 26 Sep 2013 07:36:33 -0700 (PDT)
Received: by mail-ie0-f175.google.com with SMTP id e14so1431469iej.20 for <therightkey@ietf.org>; Thu, 26 Sep 2013 07:36:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Kh2MZUB6SW2fD/Dl0KQogAuh3+KNf6XtMhEJnVJwxtU=; b=SN07Ar3nPojF2AwJ3FGGmBpQz9kyFNzxC6u3HOmU4IXPNwJvwMqvmF/otWZ/suRoWO 2DRZd7zY0sMkM2OArrd2lg8WE8hk/v1G4Ja/ps0GFiE9/ZfcWWf0znFMvqncRctI+h4a jcmtPkJ66fqf6fyINGes/YMJSV28kbtFZdmDcnTh3P5VBSbhtvbaRa92nRdoOxD8ZiQR MIKZMgjxBHUFqWPdYZZV3TizyH56UK7o8+dMG813mt9ax0nJTobHJTaAHk9PG3qhY6p5 ZWpQrgx/EZLQHCyae4f1GnQ6GQ579Vo9p4FAwoodQdcTHqqKzFoyocf/Y6cOGYwTAYMW 8/RQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=Kh2MZUB6SW2fD/Dl0KQogAuh3+KNf6XtMhEJnVJwxtU=; b=AQgAfRAXYZ2CfQjGp6tE4UtS4L2O5tb3iJ3g7eMq7E1wednQs2FGFoQaZt2XBmqWXE TETNZH3hPaQkTRko2snJ5hcaYb7KAy7DHaXDFYaX0yLHrN5h8zeEG3S3XXRIL9lZFRMK gO9JnG2CbvVFufP4dOAAJ8RvtejDz7st9tWBIr41IAbZKS/YUrNycyobiSqncfSxFcTH 90lGE1LrHdqUJOwGoRvs1qzKZv7pQyt1GBk5LTCuJubGl4CHGCLO752ovV9WUNsPTSdR vu/jyRcpFF0ASsynsmIQCZXcq5viE4a1RKnH2MXj13GQ1ZmhRbgw9fbSIZIYIfm/1AVs n7Qw==
X-Gm-Message-State: ALoCoQn9sn78IqAMyiV9A/kHe/7deq9s5VkmnTvXGEM1eZBRW0B/cxiRo0tm6K/sM1lHsMdX93/Q5zDgmdjK83bnwMEU6Fnv84EmWgVgoTbeVFQ2xfENlX3wDAoiwZQDx0cPPst4VW0o/9mCyXv8FwVxqbS6yoazvoyQIpunO5XPq706oiGqjoNoN8btmEzdKMBr6KD0Z1Qu
MIME-Version: 1.0
X-Received: by 10.43.130.2 with SMTP id hk2mr1398117icc.11.1380206190873; Thu, 26 Sep 2013 07:36:30 -0700 (PDT)
Received: by 10.64.230.140 with HTTP; Thu, 26 Sep 2013 07:36:30 -0700 (PDT)
In-Reply-To: <CAOe4Uinow2WqWCtgJaFaknriejXmALg8qPzLaidzG4EwFywDvQ@mail.gmail.com>
References: <CABrd9STHiKL-ecavLCkw1jqGyLAUwEQb61yJWhZV9fFKbSR8vA@mail.gmail.com> <CABrd9STcVGiYb9QBrezFza=Lhpcc=Hwh4h03R4gomCYVp=zLUw@mail.gmail.com> <CAOe4UikiA6vLnZXCxyUdK=VXRUgKf6T5k--anEJiPvK59KWVzQ@mail.gmail.com> <CABrd9STs7TimumEC=ee7-=1O05j=xFo1P3Nhj4YHyaH5LFkfRA@mail.gmail.com> <CAOe4Uinow2WqWCtgJaFaknriejXmALg8qPzLaidzG4EwFywDvQ@mail.gmail.com>
Date: Thu, 26 Sep 2013 15:36:30 +0100
Message-ID: <CABrd9SR=x8Nbg8nU9uxavaF6_UCb11NgadBdo8r_mzrwAbCRqA@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Joseph Bonneau <jbonneau@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "therightkey@ietf.org" <therightkey@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [therightkey] Fwd: Improving EV Certificate Security
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Sep 2013 14:37:01 -0000
On 26 September 2013 15:29, Joseph Bonneau <jbonneau@gmail.com> wrote: >> I'd like some elaboration on the plan for step 6, creating a whitelist of >> >> > valid EV certificates without an SCT. How is this going to be achieved? >> >> Not sure what the question is - as the doc says, the list will be >> constructed from the logs... > > > I think I read it incorrectly as "without an embedded CT from *any* qualify > logs" instead of "from all qualifying logs." Now I can see how the whitelist > is created, but I'm less clear on what the intention of it is. Is the > assumption that some certs will be issued with more than zero but fewer than > three SCTs (proposed to the minimum acceptable in the "Qualifying > Certificates" section) and you'd like to whitelist such certs during the > rollout period? Ah. So, all existing certs do not have embedded SCTs. So, we either wait until all existing certs expire before we can enforce CT, or we whitelist the unexpired certs. > Also, why isn't there be a step 8 in the plan, where the whitelist is > deprecated and every EV cert requires SCTs and Chrome is rejecting the EV > certs without them? The whitelist is fixed, so at some point all certs in the whitelist expire, and the whitelist thus becomes empty.
- [therightkey] Fwd: Improving EV Certificate Secur… Ben Laurie
- Re: [therightkey] Fwd: Improving EV Certificate S… Joseph Bonneau
- Re: [therightkey] Fwd: Improving EV Certificate S… Ryan Sleevi
- Re: [therightkey] Fwd: Improving EV Certificate S… Ben Laurie
- Re: [therightkey] Fwd: Improving EV Certificate S… Joseph Bonneau
- Re: [therightkey] Fwd: Improving EV Certificate S… Ben Laurie
- Re: [therightkey] Fwd: Improving EV Certificate S… Joseph Bonneau
- Re: [therightkey] Fwd: Improving EV Certificate S… Ben Laurie
- Re: [therightkey] Fwd: Improving EV Certificate S… Emilia Kasper