Re: [TLS] [therightkey] Fwd: Improving EV Certificate Security
Joseph Bonneau <jbonneau@gmail.com> Thu, 26 September 2013 05:15 UTC
Return-Path: <jbonneau@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5723111E8152; Wed, 25 Sep 2013 22:15:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wot2NmQZtvj8; Wed, 25 Sep 2013 22:15:44 -0700 (PDT)
Received: from mail-vb0-x22f.google.com (mail-vb0-x22f.google.com [IPv6:2607:f8b0:400c:c02::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 0BF9711E8155; Wed, 25 Sep 2013 22:15:33 -0700 (PDT)
Received: by mail-vb0-f47.google.com with SMTP id h10so474920vbh.20 for <multiple recipients>; Wed, 25 Sep 2013 22:15:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=RPvvSiwO/t5Sl8IKpsc5lXGCslZuZk5jjYMkni/Ke7Q=; b=yShqUbdLEMPJN8+OdcIlZF9qCrgHExIHKq/350VGmUDEqf8KSSkVkLMts240tXoYjG wF7cB/wOWIMUAli/G6aKFa6Kr7P57zyc2M7DTiu2SAEfavXWzNUK51FK7747ZHqSYr85 rfc+AiylwzuLKQ4DgL2BetdSxhvU+T2ZpAQV+CIlxvs5gRZIy+zcuBvC63JTAa528+VY F+uhPXbxwXYDc4xiSVLWztd4SJrVwy/DoXULIJN547A24GYJO8e2ApCK5VqgA/I+N0NE XJfQd5mLRRbPBnUrY4r0lBfw1N+5wBMY6+y0Zu062aDOpu9WNs2pgI86PUPSfmH+Ggy1 gtkQ==
X-Received: by 10.221.32.133 with SMTP id sk5mr11585vcb.27.1380172533507; Wed, 25 Sep 2013 22:15:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.220.241.198 with HTTP; Wed, 25 Sep 2013 22:15:13 -0700 (PDT)
In-Reply-To: <CABrd9STcVGiYb9QBrezFza=Lhpcc=Hwh4h03R4gomCYVp=zLUw@mail.gmail.com>
References: <CABrd9STHiKL-ecavLCkw1jqGyLAUwEQb61yJWhZV9fFKbSR8vA@mail.gmail.com> <CABrd9STcVGiYb9QBrezFza=Lhpcc=Hwh4h03R4gomCYVp=zLUw@mail.gmail.com>
From: Joseph Bonneau <jbonneau@gmail.com>
Date: Thu, 26 Sep 2013 01:15:13 -0400
Message-ID: <CAOe4UikiA6vLnZXCxyUdK=VXRUgKf6T5k--anEJiPvK59KWVzQ@mail.gmail.com>
To: Ben Laurie <benl@google.com>
Content-Type: multipart/alternative; boundary="001a1133aa0096b02704e7427518"
X-Mailman-Approved-At: Wed, 02 Oct 2013 08:21:22 -0700
Cc: "therightkey@ietf.org" <therightkey@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] [therightkey] Fwd: Improving EV Certificate Security
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Sep 2013 05:15:45 -0000
I'd like some elaboration on the plan for step 6, creating a whitelist of valid EV certificates without an SCT. How is this going to be achieved? Also, if we could do this, why not do it for all certificates and bootstrap CT that way? Are the parameters of EV special for this (fewer certs, better records, etc.)? An alternate approach to a whitelist is to require SCTs for certs with a "not before" validity period after time T (presumably this requirement kicksn in around time T). With a stolen/compromised EV CA key you could still issue a fraudulent cert and backdate it, so you'd have to more strictly enforce the limits on validity periods for EV certs which I believe are 27 months in the CA/Browser forum guidelines and 39 months in the EV code-signing cert proposal. Of course this isn't attractive in that it means years before you really have protection against fraudulent EV certs. Has this approach been considered? Joe
- [TLS] Fwd: Improving EV Certificate Security Ben Laurie
- Re: [TLS] [therightkey] Fwd: Improving EV Certifi… Ben Laurie
- Re: [TLS] [therightkey] Fwd: Improving EV Certifi… Ben Laurie
- Re: [TLS] [therightkey] Fwd: Improving EV Certifi… Ben Laurie
- Re: [TLS] [therightkey] Fwd: Improving EV Certifi… Joseph Bonneau
- Re: [TLS] [therightkey] Fwd: Improving EV Certifi… Ryan Sleevi
- Re: [TLS] [therightkey] Fwd: Improving EV Certifi… Joseph Bonneau
- Re: [TLS] [therightkey] Fwd: Improving EV Certifi… Joseph Bonneau
- Re: [TLS] [therightkey] Fwd: Improving EV Certifi… Emilia Kasper