Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan

"Jeremy Rowley" <jeremy.rowley@digicert.com> Wed, 05 February 2014 16:24 UTC

Return-Path: <jeremy.rowley@digicert.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D9461A0128 for <therightkey@ietfa.amsl.com>; Wed, 5 Feb 2014 08:24:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.837
X-Spam-Level:
X-Spam-Status: No, score=-4.837 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.535, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hQvbv0d9vA9c for <therightkey@ietfa.amsl.com>; Wed, 5 Feb 2014 08:24:24 -0800 (PST)
Received: from mail.digicert.com (mail.digicert.com [64.78.193.232]) by ietfa.amsl.com (Postfix) with ESMTP id 8F0E01A00EE for <therightkey@ietf.org>; Wed, 5 Feb 2014 08:24:24 -0800 (PST)
Received: from JROWLEYL1 (unknown [67.137.52.7]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.digicert.com (Postfix) with ESMTPSA id BD2508FA14E; Wed, 5 Feb 2014 09:24:23 -0700 (MST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digicert.com; s=mail; t=1391617464; bh=AUmcrHxEq5Lrg/Q/fvAlkKev4kChOZomM/I4wMBEqK0=; h=From:To:Cc:References:In-Reply-To:Subject:Date; b=O9Ydmm/JVTC4msVBnZOBGUYwpWnxf7wUldzm8eaEsPwzWmeXsL2H3Etr28FkQs2Gr 52fxzvXVuDcdJtEre7d59mMjFVBatFJMjXkKFAiNXzFZm3d00j9rQl0Vqor591zpia /W+i5Tyf2qlhkOmMZADXWDpVfL19ZMOwwdaT+270=
From: Jeremy Rowley <jeremy.rowley@digicert.com>
To: 'Rob Stradling' <rob.stradling@comodo.com>
References: <CABrd9STwBDxwB1vtmS9Ozb5e_7D=zfOqkOBeAaT2HG7X-cw5gw@mail.gmail.com> <04a001cf21cf$3a649190$af2db4b0$@digicert.com> <52F2348E.1090805@comodo.com>
In-Reply-To: <52F2348E.1090805@comodo.com>
Date: Wed, 05 Feb 2014 09:24:28 -0700
Message-ID: <0b4601cf228e$be4de4b0$3ae9ae10$@digicert.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGGS/IGH2GP3iOZeF9RA+GsPjuqQQF9nIx2ATI8Ee2bIwWp4A==
Content-Language: en-us
Cc: therightkey@ietf.org, 'Ben Laurie' <benl@google.com>, certificate-transparency@googlegroups.com, 'CABFPub' <public@cabforum.org>
Subject: Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Feb 2014 16:24:26 -0000

We could also remove the subject field to save a bunch of space, but that would defeat the point of the certificate.  Similarly, removing the public notice defeats the purpose of our relying party warranty.  However, I do think we need to shorten the message and deliver it more efficiently. 

Thanks for the heads up.

Jeremy

-----Original Message-----
From: Rob Stradling [mailto:rob.stradling@comodo.com] 
Sent: Wednesday, February 05, 2014 5:55 AM
To: Jeremy Rowley
Cc: certificate-transparency@googlegroups.com; 'Ben Laurie'; 'CABFPub'; therightkey@ietf.org
Subject: Re: [cabfpub] Updated Certificate Transparency + Extended Validation plan

On 04/02/14 17:33, Jeremy Rowley wrote:
<snip>
> Adding 400 bytes per certificate will make EV certificates unusable by entities concerned with performance.

BTW Jeremy, in seeking to get some perspective on this issue, I notice that the current EV cert for www.digicert.com has a Certificate Policies User Notice that takes up 338 bytes!  (2 bytes per character, 'cos for some reason you use a BMPString).

"Any use of this Certificate constitutes acceptance of the DigiCert CP/CPS and the Relying Party Agreement which limit liability and are incorporated herein by reference"

Is it really necessary to include this notice in each cert?

Have any "entities concerned with performance" complained about it?

You could save 169 bytes immediately by simply switching from BMPString to UTF8String!  ;-)

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online