Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan

Adam Langley <agl@chromium.org> Tue, 04 February 2014 20:32 UTC

Return-Path: <agl@google.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB2051A011F for <therightkey@ietfa.amsl.com>; Tue, 4 Feb 2014 12:32:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.914
X-Spam-Level:
X-Spam-Status: No, score=-1.914 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lk8fqsE1CLaK for <therightkey@ietfa.amsl.com>; Tue, 4 Feb 2014 12:32:16 -0800 (PST)
Received: from mail-ve0-x235.google.com (mail-ve0-x235.google.com [IPv6:2607:f8b0:400c:c01::235]) by ietfa.amsl.com (Postfix) with ESMTP id 376291A0100 for <therightkey@ietf.org>; Tue, 4 Feb 2014 12:32:16 -0800 (PST)
Received: by mail-ve0-f181.google.com with SMTP id cz12so6548522veb.12 for <therightkey@ietf.org>; Tue, 04 Feb 2014 12:32:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=yDdo7hSevAO0RVpLqtZ6JLeuFn0GYTCuH7cmLimSy5s=; b=p4Z0u/Ij6QzRPFjXKOr5QPlqN4NzIMmMisG0zPdeI5MZfDFhOsMoaae55nUxUEmnhh HOcHDRbKlHDM+gCz8ncNC9N2z67DExbySyeWcaYa29AAtZATFfShSEmrFq9L38vSWqrI Kv+xP9WYTdLGSO1MiFwcG9fGBhgDDrZK0gMZNVnqCn3vqDCW3/LcNKCXaB9rGtMnOOka 5FXo0s6bt+bNE2TMxuxpWGiRnqpERS8ulmIDWTczKD7TFpZdsdpYPV+RFsR5uIKwB26C ET+0pfXOxz90QPoh2ksVBaw0jNhUOLKTco9S37okcVe8Sb4odMaxtZ0BcTM1XFE4y8T6 UOVw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=yDdo7hSevAO0RVpLqtZ6JLeuFn0GYTCuH7cmLimSy5s=; b=nY8KMozubhXdSU1cfKvmuhIMZH5wQleB8RF3IWuPOqxeGtjiZxQWth0YSgm4rdqqoe Kd3FrGX7HwzxQgkNV75IDeaa6i5i6tACtLhj0gQ+6rcemwWii6nkPy/MIky1F0ragx0l zS8BKMAHE0YCeGPlyZQw6ylDm0qHN7cpuC9Sc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-type; bh=yDdo7hSevAO0RVpLqtZ6JLeuFn0GYTCuH7cmLimSy5s=; b=U+qDeoHPA+ZaEcuPbDZFi4oVXPsTZsd2UwmogulCZCAW0z0e6/2VT7Qwv7q4mSJTxD 97fQXC259aR3zBSRTrRzqPnFd/LIxIUtl8epYgBh+1THk5O1cRZFGC9I6I9bk6P4Kur4 StVq59I9kVAH9eE7hZSlZkKcfg+sOkAmD8NKgG7SE1T4oDbwqu4kpvX10Aer2+yN9Nj8 CPFnEgtc+FjweUqeYxsMiJVlbfoU2DxIXmgPS+i82azh57KQodMRLA/ZC2wVyCRcGIVT o8QJ3G4C2eni9E9kkyrFn0rLKQmtqeMlBqqeG0/qvbjHS4buB/9jT/jVTCpyM370Ouyw IHpA==
X-Gm-Message-State: ALoCoQmCPDfiZigzID/UvK8mTS6Z/5p6/n8Xe5uUGCvDNCZRMDUGAikhwF1Zc9B2GPNIqs8vTYrDILpjl/g+bDbkcn4WL+/WSiegMVpV3HrD9HLw6lBFO9XZwqtQl2Ju3ajRHI2Yyc848t3MCdIox3tO8BJ/2krldtoWg4IOyN+uNu1sNq3yBgDQNN3cNS+zXlKkhBqXxqYr
X-Received: by 10.58.219.1 with SMTP id pk1mr72404vec.49.1391545935441; Tue, 04 Feb 2014 12:32:15 -0800 (PST)
MIME-Version: 1.0
Sender: agl@google.com
Received: by 10.52.104.37 with HTTP; Tue, 4 Feb 2014 12:31:55 -0800 (PST)
In-Reply-To: <066901cf21e7$2bf25ee0$83d71ca0$@digicert.com>
References: <CABrd9STwBDxwB1vtmS9Ozb5e_7D=zfOqkOBeAaT2HG7X-cw5gw@mail.gmail.com> <04a001cf21cf$3a649190$af2db4b0$@digicert.com> <01dc01cf21db$146dac40$3d4904c0$@globalsign.com> <CAL9PXLzFNCmwrQVBJKPuB8v2hSe6akT-rFku=p60PicLYH8JMA@mail.gmail.com> <05c501cf21dc$bbc70da0$335528e0$@digicert.com> <CAL9PXLxx3gNRSN7FF1T=uQv6q5qooKNjO7Q1FSsZPLmSFt9NSQ@mail.gmail.com> <063601cf21e5$2e696440$8b3c2cc0$@digicert.com> <CAL9PXLywZUgLjAABQbtVoid2wSCmR6epOgFjC5jDoA90nUnWzQ@mail.gmail.com> <066901cf21e7$2bf25ee0$83d71ca0$@digicert.com>
From: Adam Langley <agl@chromium.org>
Date: Tue, 04 Feb 2014 15:31:55 -0500
X-Google-Sender-Auth: j_gkYtg4ltRyKxL-6LddPgDyOlQ
Message-ID: <CAL9PXLx_5_0cc0yCYUROqM7FN6c2HR+vmkxeWBxPNf+gq0wVNw@mail.gmail.com>
To: Jeremy Rowley <jeremy.rowley@digicert.com>
Content-Type: text/plain; charset="UTF-8"
Cc: therightkey <therightkey@ietf.org>, certificate-transparency <certificate-transparency@googlegroups.com>, CABFPub <public@cabforum.org>
Subject: Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2014 20:32:18 -0000

On Tue, Feb 4, 2014 at 3:24 PM, Jeremy Rowley
<jeremy.rowley@digicert.com> wrote:
> What's wrong with rendering certificates invalid?  Isn't the burden on the
> CA to ensure their customers are satisfied?  If the CA wants to take the
> risk, let them. We'll make sure our customers 100% understand the risks when
> deciding how many proofs to embed.

But the burden of an invalid certificate significantly falls on
users/browsers, not just on the site. If distrusting a log causes 1%
of the Internet to go dark, we essentially cannot do it. It's because
of these externalities that we're seeking these assurances.


Cheers

AGL