Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan

Adam Langley <agl@chromium.org> Tue, 04 February 2014 19:42 UTC

Return-Path: <agl@google.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E81521A01A5 for <therightkey@ietfa.amsl.com>; Tue, 4 Feb 2014 11:42:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.914
X-Spam-Level:
X-Spam-Status: No, score=-1.914 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oaLuSEXCE_BV for <therightkey@ietfa.amsl.com>; Tue, 4 Feb 2014 11:42:03 -0800 (PST)
Received: from mail-ve0-x235.google.com (mail-ve0-x235.google.com [IPv6:2607:f8b0:400c:c01::235]) by ietfa.amsl.com (Postfix) with ESMTP id 63BFB1A0127 for <therightkey@ietf.org>; Tue, 4 Feb 2014 11:42:03 -0800 (PST)
Received: by mail-ve0-f181.google.com with SMTP id cz12so6497313veb.12 for <therightkey@ietf.org>; Tue, 04 Feb 2014 11:42:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=awgcWskYzN7kZMTMO8fAGYtTW6HURyHaKfqq174BIXQ=; b=OS8D5OrOhEFLs8MPEcd6pkY1pjYYd+7BAvqG4jjqSc4EqnZNUvyWuja4B2lbC25mqb rvyW4L2DmamLFkpuOzfE9JR5T97doVJg1dswv+SjrUPFkx54kLDaTVPknKAVS1AcfFJ1 XTwOxwEjgxUsFfaS1IPFME3rpMuWdXP+xBLnFIPHJhluLvHvBvYAQNZ9XTMj1/8UBvyk BnHofSZ5MY4Q3+18wlXuAJG91I9o/XxFV2yxjb17D6eRtwXv8FXspo3SWkVglWzYm4wJ ioGuo6bppZaqf99t7f3EUbZjAdCG+zYeDWgU+PwmXMwzd/XE/Shs3cbD+xzmLMpYFJgd 3mqQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=awgcWskYzN7kZMTMO8fAGYtTW6HURyHaKfqq174BIXQ=; b=D1mIldsbqEgZECU7K5VvBhqcmRBG6u45bRb1Qmi7KwodUY6ZRxZ6K0xbtNushOX4hm 4wqmuqMypKlOc0KOwDJ0B7AP6c0MssqhP393Voi61FRBEMvOSzOhosdxrn/LGesATluM rQHV/PhI/6IueeQYCXjYaHJUKmi3peqsNK+yk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-type; bh=awgcWskYzN7kZMTMO8fAGYtTW6HURyHaKfqq174BIXQ=; b=j3iRq/lHNOlyzV4fYTIuAsJQxgvxl5a06an72dxD4UqC9/eS5fwEskn/RyLTRdZcFv RkbQzrOr05AbACzt2UOIhe8NeYLHXFciyNGv4uibfJi8nI1PP+ljlSmpiM1ALWlNZwlH Xn3wYVZJ6hTkVhcT/WuSPvYpiGFyr/80h9ysmjrIHI2+6DG/H6pkN0lqMJR4b3ylu5I9 uo8AQXKbOhT3wOacSkpL5a4Z5n/41t0KJcWbKEbp9mny5t2a89Ejywu1SV8yNfCAPY9c 7Haeunfw3V3FSJl1sVnSk0Z6enNjK156T3XiCFfC1rW342ZLJn9Mq4ATNRlfoPa7FKR2 ICFw==
X-Gm-Message-State: ALoCoQnSNfCV+S/2a2Hb8pa1kk5DpPKiH37QUbVmwxH/+OqQF16Nkkop8E1i5vzbvPScP5o/ZSkEFm7hYKKfDXNZeTyZmrEoLM2IGCORlaEFqOXai5l2joTx8MsycV8GclKzYh/nZgW3SSRGsToagMlDFmGS3HW4rh/vujCR5jDmC8MNOvQB8gQFSQaS7okXL7PlaqATubhr
X-Received: by 10.52.232.168 with SMTP id tp8mr1919625vdc.38.1391542922724; Tue, 04 Feb 2014 11:42:02 -0800 (PST)
MIME-Version: 1.0
Sender: agl@google.com
Received: by 10.52.104.37 with HTTP; Tue, 4 Feb 2014 11:41:42 -0800 (PST)
In-Reply-To: <05c501cf21dc$bbc70da0$335528e0$@digicert.com>
References: <CABrd9STwBDxwB1vtmS9Ozb5e_7D=zfOqkOBeAaT2HG7X-cw5gw@mail.gmail.com> <04a001cf21cf$3a649190$af2db4b0$@digicert.com> <01dc01cf21db$146dac40$3d4904c0$@globalsign.com> <CAL9PXLzFNCmwrQVBJKPuB8v2hSe6akT-rFku=p60PicLYH8JMA@mail.gmail.com> <05c501cf21dc$bbc70da0$335528e0$@digicert.com>
From: Adam Langley <agl@chromium.org>
Date: Tue, 04 Feb 2014 14:41:42 -0500
X-Google-Sender-Auth: 1Vfg2LH4PivfEkK8kjn06pAd-QU
Message-ID: <CAL9PXLxx3gNRSN7FF1T=uQv6q5qooKNjO7Q1FSsZPLmSFt9NSQ@mail.gmail.com>
To: certificate-transparency@googlegroups.com
Content-Type: text/plain; charset="UTF-8"
Cc: therightkey <therightkey@ietf.org>, Ben Laurie <benl@google.com>, CABFPub <public@cabforum.org>
Subject: Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2014 19:42:05 -0000

On Tue, Feb 4, 2014 at 2:10 PM, Jeremy Rowley
<jeremy.rowley@digicert.com> wrote:
> I do not think this is correct.  The number of proofs actually increases as you decrease validity periods.

Consider a certificate setting out on a journey. It always needs to
have identity papers with it because the Browser Police are always on
the lookout for unregistered certificates. However, the Browser Police
sometimes decide that certain forms of ID are no longer acceptable and
so a certificate needs to carry several forms of ID with it. If it's
setting out on a one year journey it's wise to have two forms of ID
because one might become distrusted over the year, but it's
vanishingly unlikely that both would be.

However, if our plucky certificate is setting out on a two year
journey then it's wise to carry three forms of ID just in case two
become useless while it's out in the world. The longer it'll be out,
the more forms of id it should carry to ensure that one is always
acceptable.


Cheers

AGL