Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan

Adam Langley <agl@chromium.org> Tue, 04 February 2014 17:52 UTC

Return-Path: <agl@google.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 227EB1A0100 for <therightkey@ietfa.amsl.com>; Tue, 4 Feb 2014 09:52:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.914
X-Spam-Level:
X-Spam-Status: No, score=-1.914 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1VXoeKtSsfKM for <therightkey@ietfa.amsl.com>; Tue, 4 Feb 2014 09:52:41 -0800 (PST)
Received: from mail-vb0-x235.google.com (mail-vb0-x235.google.com [IPv6:2607:f8b0:400c:c02::235]) by ietfa.amsl.com (Postfix) with ESMTP id 735D91A0035 for <therightkey@ietf.org>; Tue, 4 Feb 2014 09:52:41 -0800 (PST)
Received: by mail-vb0-f53.google.com with SMTP id p17so5882235vbe.40 for <therightkey@ietf.org>; Tue, 04 Feb 2014 09:52:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type:content-transfer-encoding; bh=jptaGbUSGx3JIkcNWj/Ytew9HsZTWTgGsVD3O2UfvsY=; b=RUHFlLqdLZY4MP20yn1zu65ByYt89RSW3R+btaMGNY0ghRDOBm5xlA4ghs1+l4TQnq HLuLmI+DZ1OsDI2bOUIOLohjGIpkYsep2sCQkBD6XTWm2YGtEXg+SEXYst2WDEa6mf5C WKUHs/AfEw4oUlEcCEmbzk97Xjc2dZK9cm6XFve9bDdt0zSqrKGEdgJOV3GG5ZUOcqrg f5cZCfpJcCNXGzOryJtpb3lmxET02t9NjvOq28jW5gD/vbzhjWZsJgE8cgNgSCZhSzTo AKVghzjGEDmnJEHNQbgWghpMuuTQR+xyxoUH4bZ8A90Km48m5+KBRO3UolhmfNhJc888 m1eg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type:content-transfer-encoding; bh=jptaGbUSGx3JIkcNWj/Ytew9HsZTWTgGsVD3O2UfvsY=; b=FX5a7b4vXAUYDnT8znrFeZwP53HHmBsO9jzHcHZypstx9UMgiF3zTG5NmcLXKLbFgh eTppwwxkPVvQoj1+lUgiz+P+0FHX0u50tTx+SL277ITZK4goxzmxGI3IjOFFDQ1OfDKe LeTGbYD7pU1mYZ/gI/zqYYjE1LVpz7huRKcoI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=jptaGbUSGx3JIkcNWj/Ytew9HsZTWTgGsVD3O2UfvsY=; b=baGOltubzyIk5SKDOzxsc5RQ4yV6BNS2eipodUBDJH5gBHnbKM5Lz/6/8O9EFBpZS5 dVVccIg8glhjNvGZFSLaRyjAjYcs57GjyxHa0cGcHrGwtxrCpfYRpLVB0Of3YDPOmHh9 iQhAMhvvZdUXfrNawTdCqIJadQ4sH99SvXxn8BA2xdcdpo/CPaU9kUy1V2WGNqTDMecd nplLixVMdZxykhcUTYYfg6kDtdeJ6o20B9bSzrkvap1RpTfWT2ETQG/spaSbCyu4ANp+ L3m75yz/IsaU3b0kbA8tIAHGr9QllT71aZjxQVna1MLFKt+q1uVZHZibdrx8hMLtSJYW 0cvg==
X-Gm-Message-State: ALoCoQks0NF1KiZDIic54FpmyQoz9cNUVgVfiS/TkcNTDmedgB8+fwz94hF3eOv0xgvab3auK/vghRddq3DbuL5v2x8lsGJYBlFiYFvJti67rz89jazM0FWN43wbOafgnOqdGK521Rx4oziCTnTC8j7owbjkfQbEpPlC2cTTRvO0F3bwfrGnrO4ZtGUzwbeXBRmWrtCRw2HA
X-Received: by 10.52.246.42 with SMTP id xt10mr6700837vdc.9.1391536360897; Tue, 04 Feb 2014 09:52:40 -0800 (PST)
MIME-Version: 1.0
Sender: agl@google.com
Received: by 10.52.104.37 with HTTP; Tue, 4 Feb 2014 09:52:20 -0800 (PST)
In-Reply-To: <04a001cf21cf$3a649190$af2db4b0$@digicert.com>
References: <CABrd9STwBDxwB1vtmS9Ozb5e_7D=zfOqkOBeAaT2HG7X-cw5gw@mail.gmail.com> <04a001cf21cf$3a649190$af2db4b0$@digicert.com>
From: Adam Langley <agl@chromium.org>
Date: Tue, 04 Feb 2014 12:52:20 -0500
X-Google-Sender-Auth: mo1xIr9hP_FZi6lholnAyzmxheM
Message-ID: <CAL9PXLyWFSfHz_230SkWLvr7sUROPv_k0rfKgmkMRRttk-EjGQ@mail.gmail.com>
To: certificate-transparency@googlegroups.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Tue, 04 Feb 2014 09:53:44 -0800
Cc: therightkey@ietf.org, Ben Laurie <benl@google.com>, CABFPub <public@cabforum.org>
Subject: Re: [therightkey] [cabfpub] Updated Certificate Transparency + Extended Validation plan
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2014 17:52:43 -0000

On Tue, Feb 4, 2014 at 12:33 PM, Jeremy Rowley
<jeremy.rowley@digicert.com> wrote:
> Three or four proofs for a 27 month certificate is way too many.  The number of proofs should be decided based on the customer's risk profile, not a set number based on certificate lifecycle. Adding 400 bytes per certificate will make EV certificates unusable by entities concerned with performance.

The customer doesn't carry the risk: the risk is that we'll be unable
to revoke a log in clients due to the number of certificates that
depend on it.

We should make the SCTs as small as possible, the the switch to larger
initcwnds in recent years has released much of the pressure on keeping
certificate sizes below the tradition initcwnd limit.


Cheers

AGL