[cabfpub] [cabfman] Improving the security of EV Certificates

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Thu Dec 19 09:20:12 UTC 2013 

On 12/19/2013 02:27 AM, From Ryan Sleevi:
>
> It has been repeatedly explained to you, by multiple parties, that it 
> is not the end users (that is, to use CA terms, "Relying Parties"), 
> but instead the site operators, who will be monitoring the CT log.

I don't think it really matters who and how is monitoring this log, if 
at all.

>
>> And who do these users yell at when pins break?
>
>
>     There is most likely a reason if that happens, this way or the
>     other. A knowledgeable users will know the difference and the
>     others will not pin any certificates to start with.
>
>
> So protection for nobody. Got it.

I thought CT is about detection and not primarily protection? Detection 
also provides retroactive protection obviously, there might be other 
ways (better, worse) to achieving the same or similar.

> Eddy, I have tremendous respect for you and your efforts, but I feel 
> at this time, we've reached an impasse at being able to fruitfully and 
> productively discuss CT, its merits, and its risks.

Probably - at this point we can simply agree that we disagree.

> As has been previously discussed ( 
> https://cabforum.org/pipermail/public/2013-September/002233.html ), 
> Google Chrome intends to require Certificate Transparency for all EV 
> certificates issued after a future date. This is, as has been 
> previously stated, an additional requirement that Google Chrome is 
> imposing on certificates that it grants the EV badge to - in addition 
> to, not in replacement of, the existing auditing requirements 
> according to the CA/Browser Forum's EV Certificate Guidelines, and as 
> documented at 
> http://www.chromium.org/Home/chromium-security/root-ca-policy

I took note about your intentions, funnily that EV is your primary 
target which I believe needs it the least.

Now, regarding your intentions I believe it needs two to tango - we  
will make our calculations and will make a decision if we can support it 
or not. _If compliance would mean a significant change to the current 
business model of StartCom and the way we issue certificates, we will 
most likely not support it_. **

It could be that other CAs for this or other reasons (maybe privacy, 
existing NDAs etc.) will not be able to support it either, than you 
might be in a difficult situation too...


** Please note that less than half a year ago we had to make 
considerable efforts to support a complete change of our OCSP 
infrastructure, which involved some difficulties and still does for us. 
Unfortunately the only browser that really does something with that 
information (Firefox), is the one that suffered the most because of it. 
We are willing to make another effort shortly if Firefox doesn't support 
OCSP GET requests very soon in order to improve the situation.

Other requirements, changes and regulations are coming forth every here 
and now by the software vendors (and not through the CAB forum 
guidelines necessarily where CAs also have a say) affecting operation, 
implementations and business models, whereas I'm not sure if and when 
some real actions are warranted by the software vendors it always 
happens the way I'd like to see it. Other times the same browser vendors 
bent over themselves (and some CAs) for far less significant changes and 
far bigger failures (excuse my rambling)...

In short, this might be a deal-breaker for us which we will consider 
carefully at the appropriate time. And now I will shut up in order not 
to annoy the audience any further! :-)


Regards
Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20131219/eafe181a/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20131219/eafe181a/attachment-0001.p7s>

More information about the Public mailing list