Re: [TLS] [therightkey] Fwd: Improving EV Certificate Security

Joseph Bonneau <> Thu, 26 September 2013 05:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5723111E8152; Wed, 25 Sep 2013 22:15:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wot2NmQZtvj8; Wed, 25 Sep 2013 22:15:44 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400c:c02::22f]) by (Postfix) with ESMTP id 0BF9711E8155; Wed, 25 Sep 2013 22:15:33 -0700 (PDT)
Received: by with SMTP id h10so474920vbh.20 for <multiple recipients>; Wed, 25 Sep 2013 22:15:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=RPvvSiwO/t5Sl8IKpsc5lXGCslZuZk5jjYMkni/Ke7Q=; b=yShqUbdLEMPJN8+OdcIlZF9qCrgHExIHKq/350VGmUDEqf8KSSkVkLMts240tXoYjG wF7cB/wOWIMUAli/G6aKFa6Kr7P57zyc2M7DTiu2SAEfavXWzNUK51FK7747ZHqSYr85 rfc+AiylwzuLKQ4DgL2BetdSxhvU+T2ZpAQV+CIlxvs5gRZIy+zcuBvC63JTAa528+VY F+uhPXbxwXYDc4xiSVLWztd4SJrVwy/DoXULIJN547A24GYJO8e2ApCK5VqgA/I+N0NE XJfQd5mLRRbPBnUrY4r0lBfw1N+5wBMY6+y0Zu062aDOpu9WNs2pgI86PUPSfmH+Ggy1 gtkQ==
X-Received: by with SMTP id sk5mr11585vcb.27.1380172533507; Wed, 25 Sep 2013 22:15:33 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Wed, 25 Sep 2013 22:15:13 -0700 (PDT)
In-Reply-To: <>
References: <> <>
From: Joseph Bonneau <>
Date: Thu, 26 Sep 2013 01:15:13 -0400
Message-ID: <>
To: Ben Laurie <>
Content-Type: multipart/alternative; boundary=001a1133aa0096b02704e7427518
X-Mailman-Approved-At: Wed, 02 Oct 2013 08:21:22 -0700
Cc: "" <>, "" <>
Subject: Re: [TLS] [therightkey] Fwd: Improving EV Certificate Security
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 26 Sep 2013 05:15:45 -0000

I'd like some elaboration on the plan for step 6, creating a whitelist of
valid EV certificates without an SCT. How is this going to be achieved?
Also, if we could do this, why not do it for all certificates and bootstrap
CT that way? Are the parameters of EV special for this (fewer certs, better
records, etc.)?

An alternate approach to a whitelist is to require SCTs for certs with a
"not before" validity period after time T (presumably this requirement
kicksn in around time T). With a stolen/compromised EV CA key you could
still issue a fraudulent cert and backdate it, so you'd have to more
strictly enforce the limits on validity periods for EV certs which I
believe are 27 months in the CA/Browser forum guidelines and 39 months in
the EV code-signing cert proposal. Of course this isn't attractive in that
it means years before you really have protection against fraudulent EV
certs. Has this approach been considered?