Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan

Rob Stradling <rob.stradling@comodo.com> Wed, 05 February 2014 12:54 UTC

Return-Path: <rob.stradling@comodo.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23D471A00DD for <therightkey@ietfa.amsl.com>; Wed, 5 Feb 2014 04:54:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.29
X-Spam-Level:
X-Spam-Status: No, score=-1.29 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_NET=0.611, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QDvKgngJ4fig for <therightkey@ietfa.amsl.com>; Wed, 5 Feb 2014 04:54:40 -0800 (PST)
Received: from ian.brad.office.comodo.net (eth5.brad-fw.brad.office.ccanet.co.uk [178.255.87.226]) by ietfa.amsl.com (Postfix) with ESMTP id DBFE91A00F2 for <therightkey@ietf.org>; Wed, 5 Feb 2014 04:54:39 -0800 (PST)
Received: (qmail 27471 invoked by uid 1000); 5 Feb 2014 12:54:38 -0000
Received: from nigel.brad.office.comodo.net (HELO [192.168.0.58]) (192.168.0.58) (smtp-auth username rob, mechanism plain) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (CAMELLIA256-SHA encrypted) ESMTPSA; Wed, 05 Feb 2014 12:54:38 +0000
Message-ID: <52F2348E.1090805@comodo.com>
Date: Wed, 05 Feb 2014 12:54:38 +0000
From: Rob Stradling <rob.stradling@comodo.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.1.1
MIME-Version: 1.0
To: Jeremy Rowley <jeremy.rowley@digicert.com>
References: <CABrd9STwBDxwB1vtmS9Ozb5e_7D=zfOqkOBeAaT2HG7X-cw5gw@mail.gmail.com> <04a001cf21cf$3a649190$af2db4b0$@digicert.com>
In-Reply-To: <04a001cf21cf$3a649190$af2db4b0$@digicert.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: therightkey@ietf.org, 'Ben Laurie' <benl@google.com>, certificate-transparency@googlegroups.com, 'CABFPub' <public@cabforum.org>
Subject: Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Feb 2014 12:54:41 -0000

On 04/02/14 17:33, Jeremy Rowley wrote:
<snip>
> Adding 400 bytes per certificate will make EV certificates unusable by entities concerned with performance.

BTW Jeremy, in seeking to get some perspective on this issue, I notice 
that the current EV cert for www.digicert.com has a Certificate Policies 
User Notice that takes up 338 bytes!  (2 bytes per character, 'cos for 
some reason you use a BMPString).

"Any use of this Certificate constitutes acceptance of the DigiCert 
CP/CPS and the Relying Party Agreement which limit liability and are 
incorporated herein by reference"

Is it really necessary to include this notice in each cert?

Have any "entities concerned with performance" complained about it?

You could save 169 bytes immediately by simply switching from BMPString 
to UTF8String!  ;-)

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online