Re: [TLS] [therightkey] Fwd: Improving EV Certificate Security

Joseph Bonneau <jbonneau@gmail.com> Thu, 26 September 2013 14:29 UTC

Return-Path: <jbonneau@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E90B11E810B; Thu, 26 Sep 2013 07:29:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U8+i+IdULL5O; Thu, 26 Sep 2013 07:29:29 -0700 (PDT)
Received: from mail-ve0-x22e.google.com (mail-ve0-x22e.google.com [IPv6:2607:f8b0:400c:c01::22e]) by ietfa.amsl.com (Postfix) with ESMTP id 4FDCF21F98AC; Thu, 26 Sep 2013 07:29:29 -0700 (PDT)
Received: by mail-ve0-f174.google.com with SMTP id jy13so938674veb.19 for <multiple recipients>; Thu, 26 Sep 2013 07:29:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=wlw4QAIImb7CbS/fk3KMw+HlT2HPBy2qFzkXVheHbr8=; b=ZL3EzLYzE1UqFvv7yQtZ9ep03dcjbeakLGlAZc3C4ve+QZk6Vz0Zq68ePEzeyyJmDf aNjIkm4+yTVk0i5a7mv7rtHdV4gspAcnnmOkzYxYpgoIeCNBClBJZXtsBj/IGB+xpmjr IcVtm5adhTMoX4k9l6KCee4ybguwhCxBNVoJaxgByI/s9ctilZFM3KCSI10KbVzp8X1E K1ElKOFrP4ZRsdedzR147dsDEYqUseb0/YDrZJ0JTAOkD8y/RU3V8qgueU66jl6DAeGd vbRONXF7EaQ1zAlfRLYXEi5LiiAYuQAVqhHYExzu0rVHs3FIUYajfXWE0tUxcqpllla7 kEXg==
X-Received: by 10.52.187.138 with SMTP id fs10mr772872vdc.10.1380205768803; Thu, 26 Sep 2013 07:29:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.220.241.198 with HTTP; Thu, 26 Sep 2013 07:29:08 -0700 (PDT)
In-Reply-To: <CABrd9STs7TimumEC=ee7-=1O05j=xFo1P3Nhj4YHyaH5LFkfRA@mail.gmail.com>
References: <CABrd9STHiKL-ecavLCkw1jqGyLAUwEQb61yJWhZV9fFKbSR8vA@mail.gmail.com> <CABrd9STcVGiYb9QBrezFza=Lhpcc=Hwh4h03R4gomCYVp=zLUw@mail.gmail.com> <CAOe4UikiA6vLnZXCxyUdK=VXRUgKf6T5k--anEJiPvK59KWVzQ@mail.gmail.com> <CABrd9STs7TimumEC=ee7-=1O05j=xFo1P3Nhj4YHyaH5LFkfRA@mail.gmail.com>
From: Joseph Bonneau <jbonneau@gmail.com>
Date: Thu, 26 Sep 2013 10:29:08 -0400
Message-ID: <CAOe4Uinow2WqWCtgJaFaknriejXmALg8qPzLaidzG4EwFywDvQ@mail.gmail.com>
To: Ben Laurie <benl@google.com>
Content-Type: multipart/alternative; boundary=bcaec548a385911e5004e74a32ac
X-Mailman-Approved-At: Wed, 02 Oct 2013 08:21:22 -0700
Cc: "therightkey@ietf.org" <therightkey@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] [therightkey] Fwd: Improving EV Certificate Security
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Sep 2013 14:29:31 -0000

> I'd like some elaboration on the plan for step 6, creating a whitelist of

>  > valid EV certificates without an SCT. How is this going to be achieved?
>
> Not sure what the question is - as the doc says, the list will be
> constructed from the logs...
>

I think I read it incorrectly as "without an embedded CT from *any* qualify
logs" instead of "from all qualifying logs." Now I can see how the
whitelist is created, but I'm less clear on what the intention of it is. Is
the assumption that some certs will be issued with more than zero but fewer
than three SCTs (proposed to the minimum acceptable in the "Qualifying
Certificates" section) and you'd like to whitelist such certs during the
rollout period?

Also, why isn't there be a step 8 in the plan, where the whitelist is
deprecated and every EV cert requires SCTs and Chrome is rejecting the EV
certs without them?