[cabfpub] Upcoming changes to Google Chrome's certificate handling

Rob Stradling rob.stradling at comodo.com
Mon Nov 11 04:42:33 MST 2013 

On 10/11/13 21:13, Eddy Nigg (StartCom Ltd.) wrote:
>
> On 11/05/2013 03:29 AM, From Rick Andrews:
>> We close by offering that these comments are in the spirit of a robust
>> public discussion on the future of web security and have no doubt that
>> all parties including Google desire a safer Internet. We hope to
>> continue an active dialogue that looks for ways to reduce risk while
>> continuing to enable the web security ecosystem to flourish and scale
>> to provide even more benefit for the Internet. We invite feedback and
>> comment on our statements and look forward to continuing the discussion.
>
> I'm not entirely sure how this stands today, but the CT adventure will
> have for us only value if revocation information will be carried by the
> log and result in an alternative of current revocation checking.

CT is not a revocation mechanism.

RFC6962 says:
   "Those who are concerned about misissue can monitor the logs, asking
    them regularly for all new entries, and can thus check whether
    domains they are responsible for have had certificates issued that
    they did not expect.  What they do with this information,
    particularly when they find that a misissuance has happened, is
    beyond the scope of this document, but broadly speaking, they can
    invoke existing business mechanisms for dealing with misissued
    certificates.  Of course, anyone who wants can monitor the logs and,
    if they believe a certificate is incorrectly issued, take action as
    they see fit."

> Today
> after we were all force to run through the hoops to changing the OCSP
> responses to contain "unknown" in addition to "valid" and "revoked", I
> believe the CT log must be the source for either valid, revoked
> or....non-existent.
>
> If the above is planned or an option, I believe that it can be a viable
> alternative to current implementations backed by a strong and shared
> infrastructure with the goal to provide reliable information to the
> relying parties about certificates CAs issued and their current status.
> Otherwise I believe the benefits don't justify the effort required.

If CT had been deployed prior to the DigiNotar compromise, that 
compromise would probably have been discovered within hours rather than 
months!!  Is that really not enough of a benefit?

As for fixing revocation, don't forget...
http://www.links.org/files/RevocationTransparency.pdf

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list