Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan
Ryan Sleevi <sleevi@google.com> Wed, 05 February 2014 03:23 UTC
Return-Path: <sleevi@google.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43BF61A0019 for <therightkey@ietfa.amsl.com>; Tue, 4 Feb 2014 19:23:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.913
X-Spam-Level:
X-Spam-Status: No, score=-1.913 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yOBF0QKLH-UK for <therightkey@ietfa.amsl.com>; Tue, 4 Feb 2014 19:23:22 -0800 (PST)
Received: from mail-qc0-x230.google.com (mail-qc0-x230.google.com [IPv6:2607:f8b0:400d:c01::230]) by ietfa.amsl.com (Postfix) with ESMTP id 940D31A0016 for <therightkey@ietf.org>; Tue, 4 Feb 2014 19:23:22 -0800 (PST)
Received: by mail-qc0-f176.google.com with SMTP id e16so15330778qcx.35 for <therightkey@ietf.org>; Tue, 04 Feb 2014 19:23:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=eIhb5a24KUaUwO4fO8ur7jxl5NAHKm5TwJ9X0rtmw0s=; b=prXzMHhECier7+lVrMa8sN68jXbsT0Y8XebhSe8tMDALUEzHzVxpyuMrxBD44q5V1v Whsiqjxjjz0M6A0qCkWyg+M83PPLS/51NNdoq45wovpq/V6eipD1Jbosbc83UOpjeJBF kjsyJWsebuLzHdWVfOzTykL3scm1efvOwGiWJSp5Jp97TXFRpD6JXboNblBBQnKi4TJt KTgZs9SL9Dqm4m0RW4afKKAq80SGbA898vgyQY/5qDUfFOUhhKLUCI/xAZnxFXflH0uc /+Veginzo1fWc1uVj9v15rpZ8h0vnLA2sB0rszB1iJyCZH+e+TxrN8npEDYdwOFcNczG UV4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=eIhb5a24KUaUwO4fO8ur7jxl5NAHKm5TwJ9X0rtmw0s=; b=eUw8Lj9GfV8P+NEc8x8X1Ju2avkYDQXxzmXW+nUKbTo07NgDm6qeczFVMK/9OxY8Xi LJtYB0z21NfHZ33xvJR2/pkzpFCwywawZZr0xGAizDsF81jfmk2ThJxnXtYadFLVCm6a Q5eq9h4as/xQ4k6OXSaMrCVlLBUHJ5G8wDWdZKp965AFFv69lIv7eeV2H1hZYWm20zf7 MNcl76LK6HwBWH6ybnZbzd/MbwKubGV/ZrLoR1UbrVD4h11Izt+hUUeZgWV5kjZQm88V BcytiW1H+wmRZLfoW4gMteDY15dlOi1Zx6LAnhEQEEM8u30aI6wnvONUW5Cf4/kHl6Zx A+OA==
X-Gm-Message-State: ALoCoQkMLVEvvvX/zXsxbIKo9fZkw6Awt0T9hhQYV1hwi07yDG2IDz0DoF/ByIhcpCP7HMzXE4uuYzbrVyQ9IkHNL+jVJ9JFA6p5iQw1kpnjocwJu8NEEZtObHM/obARcneqyb1xWCkN+4R3xNYTMHtLWhc2onbOwjQfyEuxYWdJpLZZwCtLerql5D5fVZY4wm9w1FKFmVug
MIME-Version: 1.0
X-Received: by 10.224.111.195 with SMTP id t3mr72942281qap.2.1391570601895; Tue, 04 Feb 2014 19:23:21 -0800 (PST)
Received: by 10.229.154.208 with HTTP; Tue, 4 Feb 2014 19:23:21 -0800 (PST)
In-Reply-To: <CF16F6CD.678E6%wthayer@godaddy.com>
References: <CABrd9STwBDxwB1vtmS9Ozb5e_7D=zfOqkOBeAaT2HG7X-cw5gw@mail.gmail.com> <647dad549e3047e4a94c721a616f1dee@CO1PR02MB064.namprd02.prod.outlook.com> <CACvaWvYb-anrri8rzxNDee_UW4AKM7uNC7j7UwHqPRnK4oQiFw@mail.gmail.com> <CF16EFDA.678DA%wthayer@godaddy.com> <08b001cf221b$4cd7b4a0$e6871de0$@digicert.com> <CACvaWvbyUpWK2ODOzsUKWshdzdwK_=cXe5nLjkOHUSK_VmAAWg@mail.gmail.com> <CF16F6CD.678E6%wthayer@godaddy.com>
Date: Tue, 04 Feb 2014 19:23:21 -0800
Message-ID: <CACvaWvbPw98Ww=rCvgdeD4Gnk4yiiu555kpbGtF91Mi87hzHZg@mail.gmail.com>
From: Ryan Sleevi <sleevi@google.com>
To: Wayne Thayer <wthayer@godaddy.com>
Content-Type: multipart/alternative; boundary="047d7b60457e67f85b04f1a047e3"
Cc: therightkey <therightkey@ietf.org>, Ben Laurie <benl@google.com>, certificate-transparency <certificate-transparency@googlegroups.com>, Jeremy Rowley <jeremy.rowley@digicert.com>, CABFPub <public@cabforum.org>
Subject: Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Feb 2014 03:23:25 -0000
On Tue, Feb 4, 2014 at 7:12 PM, Wayne Thayer <wthayer@godaddy.com> wrote: > > On Tue, Feb 4, 2014 at 6:38 PM, Jeremy Rowley <jeremy.rowley@digicert.com>wrote: > >> I’m confused as well. Does that mean Android will start showing an EV >> indicator? >> >> >> >> *From:* therightkey [mailto:therightkey-bounces@ietf.org] *On Behalf Of *Wayne >> Thayer >> *Sent:* Tuesday, February 04, 2014 7:33 PM >> *To:* Ryan Sleevi >> *Cc:* therightkey@ietf.org; Ben Laurie; >> certificate-transparency@googlegroups.com; CABFPub >> *Subject:* Re: [therightkey] [cabfpub] Updated Certificate Transparency >> + Extended Validation plan >> >> >> >> >> >> Hi Wayne, >> >> >> >> Considering we already do not indicate EV on Android, nor have we ever, I >> don't think this perceived loss of functionality is as significant as you >> may believe. >> >> >> >> Further, considering the very real and distinct performance >> characteristics of mobile (radio warmups, RTTs, initcwnds), the idea of >> fetching OCSP, or, worse, CRLs - especially when some CAs have CRLs that >> are quite large (20+ MB) - in order to assure the EV display is... >> non-ideal. So again, the EV indicator on mobile is not as strong or as >> present as it may be on desktop platforms. >> >> >> >> In that case, what does this statement mean? >> >> >> >> Chrome for mobile platforms will cease to show EV indicators for >> certificates that are not CT qualified according to the criteria below. >> > > It means that for any CAs that hope to be recognized as EV on Chrome for > mobile platforms (which include iOS), implementing CT by the dates outlined > is seen as a requirement for such treatment. We wanted to specifically call > attention to this - the whitelist is seen as a temporary measure for > Desktop, but given the unique characteristics of mobile platforms, we're > pursuing this requirement at a more aggressive pace. > > While Chrome for Android - and the Chrome-based WebView, as the WebView > preceding it - do not provide special treatment for EV, any future plans > for EV indications on these platforms have incorporated the above > requirements and dates. > > > In that case, my original objection stands – this policy retroactively > downgrades existing EV certificates if and when a mobile platform chooses > to implement an EV indicator. There are certainly times when it’s necessary > to apply a new policy to existing certificates to protect relying parties, > but IMO this isn’t one of them. > Wayne, While I appreciate your position, I am absolutely baffled as how you can present this as a "downgrade". If and when Android supports EV, certificates that fail to meet this requirements will continue to appear exactly the same as they do today and they have in the past. Certificates which do conform to these program requirements will, presumably, be granted distinguishing UI. To the customer who purchased a certificate today, their certificate will continue to appear in that future world exactly how it appears today, presumably - providing them exactly what they expected. I can only interpret your objection as an objection to root store programs requiring additional requirements above and beyond that of the EV Guidelines. I can only presume that you have similar objections to root store programs requiring additional requirements above and beyond the Baseline Requirements - as (to the best of my knowledge) - every root program already does today. Could you perhaps quantify exactly what you see as the downgrade, given that such a hypothetical user experience (as again, EV is not presently implemented in Chrome for Android) does not change?
- [therightkey] Updated Certificate Transparency + … Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] Updated Certificate Transparenc… Wayne Thayer
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… Wayne Thayer
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… Wayne Thayer
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… Wayne Thayer
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- [therightkey] Thoughts on reducing SCT sizes (was… Rob Stradling
- Re: [therightkey] Updated Certificate Transparenc… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] EXTERNAL: Re: [cabfpub] Updated… Mehner, Carl
- Re: [therightkey] Updated Certificate Transparenc… Rob Stradling
- Re: [therightkey] Updated Certificate Transparenc… Adam Langley
- Re: [therightkey] [cabfpub] Thoughts on reducing … Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Jeremy Rowley
- Re: [therightkey] [cabfpub] Updated Certificate T… Carl Wallace
- Re: [therightkey] Updated Certificate Transparenc… Paul Hoffman
- Re: [therightkey] Updated Certificate Transparenc… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] Updated Certificate Transparenc… Paul Hoffman
- Re: [therightkey] Updated Certificate Transparenc… Rob Stradling
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] Updated Certificate Transparenc… Rick Andrews
- Re: [therightkey] Updated Certificate Transparenc… Adam Langley
- Re: [therightkey] [cabfpub] Updated Certificate T… Ryan Sleevi
- Re: [therightkey] [cabfpub] Updated Certificate T… michal.proszkiewicz
- Re: [therightkey] Updated Certificate Transparenc… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Ben Laurie
- Re: [therightkey] Updated Certificate Transparenc… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] [cabfpub] Updated Certificate T… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] Updated Certificate Transparenc… Rick Andrews
- Re: [therightkey] [cabfpub] Updated Certificate T… Chema López González
- Re: [therightkey] Updated Certificate Transparenc… Ben Laurie
- Re: [therightkey] [cabfpub] Updated Certificate T… kirk_hall@trendmicro.com
- Re: [therightkey] [cabfpub] Thoughts on reducing … Ben Laurie
- Re: [therightkey] [cabfpub] Thoughts on reducing … Tim Moses
- Re: [therightkey] [cabfpub] Thoughts on reducing … Ben Laurie
- Re: [therightkey] [cabfpub] Thoughts on reducing … Daniel Kahn Gillmor
- Re: [therightkey] [cabfpub] Thoughts on reducing … Ben Laurie
- Re: [therightkey] [cabfpub] Thoughts on reducing … Daniel Kahn Gillmor
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] [cabfpub] Updated Certificate T… i-barreira
- Re: [therightkey] [cabfpub] Updated Certificate T… Rob Stradling
- Re: [therightkey] [cabfpub] Updated Certificate T… Mat Caughron
- Re: [therightkey] [cabfpub] Updated Certificate T… Mat Caughron