IETF Logo Mail Archive

Re: [therightkey] Updated Certificate Transparency + Extended Validation plan

Wayne Thayer <wthayer@godaddy.com> Wed, 05 February 2014 01:47 UTC

Return-Path: <wthayer@godaddy.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CBE31A01B5 for <therightkey@ietfa.amsl.com>; Tue, 4 Feb 2014 17:47:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HlHavkvtmSla for <therightkey@ietfa.amsl.com>; Tue, 4 Feb 2014 17:47:14 -0800 (PST)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0208.outbound.protection.outlook.com [207.46.163.208]) by ietfa.amsl.com (Postfix) with ESMTP id E2BB11A0196 for <therightkey@ietf.org>; Tue, 4 Feb 2014 17:47:13 -0800 (PST)
Received: from CO1PR02MB064.namprd02.prod.outlook.com (10.242.163.16) by CO1PR02MB061.namprd02.prod.outlook.com (10.242.163.11) with Microsoft SMTP Server (TLS) id 15.0.868.8; Wed, 5 Feb 2014 01:47:05 +0000
Received: from CO1PR02MB064.namprd02.prod.outlook.com ([169.254.5.65]) by CO1PR02MB064.namprd02.prod.outlook.com ([169.254.5.16]) with mapi id 15.00.0868.013; Wed, 5 Feb 2014 01:47:04 +0000
From: Wayne Thayer <wthayer@godaddy.com>
To: Ben Laurie <benl@google.com>, CABFPub <public@cabforum.org>, "certificate-transparency@googlegroups.com" <certificate-transparency@googlegroups.com>, "therightkey@ietf.org" <therightkey@ietf.org>
Thread-Topic: [therightkey] Updated Certificate Transparency + Extended Validation plan
Thread-Index: AQHPIhQrw5SajTkA5EmxZlNEt+tDmw==
Date: Wed, 05 Feb 2014 01:47:04 +0000
Message-ID: <647dad549e3047e4a94c721a616f1dee@CO1PR02MB064.namprd02.prod.outlook.com>
References: <CABrd9STwBDxwB1vtmS9Ozb5e_7D=zfOqkOBeAaT2HG7X-cw5gw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [68.231.156.37]
x-forefront-prvs: 01136D2D90
x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(6009001)(164054003)(377454003)(13464003)(189002)(199002)(81816001)(2201001)(76786001)(46102001)(81686001)(87936001)(85852003)(19580405001)(92566001)(77096001)(2656002)(53806001)(83322001)(76576001)(76796001)(51856001)(4396001)(80976001)(19580395003)(54356001)(87266001)(85306002)(47976001)(49866001)(47736001)(56816005)(74366001)(66066001)(80022001)(65816001)(94316002)(47446002)(90146001)(74662001)(74876001)(77982001)(86362001)(59766001)(74502001)(54316002)(79102001)(81542001)(56776001)(93516002)(50986001)(83072002)(69226001)(33646001)(94946001)(81342001)(74316001)(31966008)(63696002)(93136001)(74706001)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:CO1PR02MB061; H:CO1PR02MB064.namprd02.prod.outlook.com; CLIP:68.231.156.37; FPR:FCFDC01D.9EC2D312.C0D0FA38.88E5C1D9.20263; InfoNoRecordsMX:1; A:1; LANG:en;
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <86BC0CD3417AF3449E17B02ACBB1EB37@namprd02.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: godaddy.com
Subject: Re: [therightkey] Updated Certificate Transparency + Extended Validation plan
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Feb 2014 01:47:16 -0000

I'm somewhat confused by the following two points:

>>5. By July 2014 all EV certificates with validity periods beyond [July
>>2014] should be logged in
at least [one] qualifying log (see below).
>>6. On 1 Jan 2015 Chrome will create a whitelist of valid EV certificates
>>already issued without
an embedded SCT [issued by CAs participating in CT] from all qualifying
logs.

If EV certificates issued prior to 1 Jan 2015 will be whitelisted, what is
the purpose of point #5?

Also, regarding point #7, I understand if it¹s not practical to distribute
a large whitelist to mobile platforms, but IMO retroactively removing the
EV indicator from existing certs rather than letting them naturally expire
before enforcing CT on mobile platforms creates a bad EV experience in
return for little additional transparency & security.

Thanks,

Wayne

-----Original Message-----
From: therightkey [mailto:therightkey-bounces@ietf.org] On Behalf Of Ben
Laurie
Sent: Tuesday, February 04, 2014 10:08 AM
To: CABFPub; certificate-transparency@googlegroups.com;
therightkey@ietf.org
Subject: [therightkey] Updated Certificate Transparency + Extended
Validation plan

Enclosed, our revised plan.

Comments welcome.

v2.23.0 | Report a Bug | By Email