Re: [TLS] [therightkey] Fwd: Improving EV Certificate Security

Ben Laurie <> Thu, 26 September 2013 14:37 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7941321F9EA2 for <>; Thu, 26 Sep 2013 07:37:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id AwB2EXealke8 for <>; Thu, 26 Sep 2013 07:37:01 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c03::22b]) by (Postfix) with ESMTP id 9408211E80D7 for <>; Thu, 26 Sep 2013 07:36:32 -0700 (PDT)
Received: by with SMTP id at1so1459348iec.16 for <>; Thu, 26 Sep 2013 07:36:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Kh2MZUB6SW2fD/Dl0KQogAuh3+KNf6XtMhEJnVJwxtU=; b=SN07Ar3nPojF2AwJ3FGGmBpQz9kyFNzxC6u3HOmU4IXPNwJvwMqvmF/otWZ/suRoWO 2DRZd7zY0sMkM2OArrd2lg8WE8hk/v1G4Ja/ps0GFiE9/ZfcWWf0znFMvqncRctI+h4a jcmtPkJ66fqf6fyINGes/YMJSV28kbtFZdmDcnTh3P5VBSbhtvbaRa92nRdoOxD8ZiQR MIKZMgjxBHUFqWPdYZZV3TizyH56UK7o8+dMG813mt9ax0nJTobHJTaAHk9PG3qhY6p5 ZWpQrgx/EZLQHCyae4f1GnQ6GQ579Vo9p4FAwoodQdcTHqqKzFoyocf/Y6cOGYwTAYMW 8/RQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=Kh2MZUB6SW2fD/Dl0KQogAuh3+KNf6XtMhEJnVJwxtU=; b=b4UgBatxIiVXbe+X5ynKDIVTH2Ttao90HJBWmczOxZ+Jmwm3VRaYoHkiEicybK6ARf GlYH39euh31OViC9emxQO8yMScWDKpdvkuKGe9MTjQZvJ2jPW7dwB3IMre7cX9Faa0MM PeMZfnpVyij3JMcQ0cyHSdRq+hSKJP4W0ciLt1uC0pOiliVZhkTZgzNGnL+5Ili06GME DuD1EhEhEMaupOUb1n35wVbOOe0wNws8GNLA5yA5jD6K90CqYmfeDoctPvIqOfE3O6pF SPZwjOGwFJ/TsuoY89L4GU8nef9Rz7KARSqQTPkyrpq87i/Gfvg+YZDIFccp0y7bz2Tb fMfQ==
X-Gm-Message-State: ALoCoQmutgLDQJxJOhifNItVaXbPOf4FpLACAtWqOYYBoisLf4MsVF56AKuUHCbLv4skUx41y8f3/bBF2rhlHo1iT5Abb9eVeqezvgBJbWqETOIaq6dym5d+begb15oihtaxVqkgVlOIVQAMiQZ2dkeGZE9J7q82lt6dDBIByZO9yIZj8h55P3pkkBvXr3llkv/DSgDdHRux
MIME-Version: 1.0
X-Received: by with SMTP id hk2mr1398117icc.11.1380206190873; Thu, 26 Sep 2013 07:36:30 -0700 (PDT)
Received: by with HTTP; Thu, 26 Sep 2013 07:36:30 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <>
Date: Thu, 26 Sep 2013 15:36:30 +0100
Message-ID: <>
From: Ben Laurie <>
To: Joseph Bonneau <>
Content-Type: text/plain; charset=ISO-8859-1
Cc: "" <>, "" <>
Subject: Re: [TLS] [therightkey] Fwd: Improving EV Certificate Security
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 26 Sep 2013 14:37:01 -0000

On 26 September 2013 15:29, Joseph Bonneau <> wrote:
>> I'd like some elaboration on the plan for step 6, creating a whitelist of
>> > valid EV certificates without an SCT. How is this going to be achieved?
>> Not sure what the question is - as the doc says, the list will be
>> constructed from the logs...
> I think I read it incorrectly as "without an embedded CT from *any* qualify
> logs" instead of "from all qualifying logs." Now I can see how the whitelist
> is created, but I'm less clear on what the intention of it is. Is the
> assumption that some certs will be issued with more than zero but fewer than
> three SCTs (proposed to the minimum acceptable in the "Qualifying
> Certificates" section) and you'd like to whitelist such certs during the
> rollout period?

Ah. So, all existing certs do not have embedded SCTs. So, we either
wait until all existing certs expire before we can enforce CT, or we
whitelist the unexpired certs.

> Also, why isn't there be a step 8 in the plan, where the whitelist is
> deprecated and every EV cert requires SCTs and Chrome is rejecting the EV
> certs without them?

The whitelist is fixed, so at some point all certs in the whitelist
expire, and the whitelist thus becomes empty.