[cabfpub] Upcoming changes to Google Chrome's certificate handling
Jeremy Rowley
jeremy.rowley at digicert.com
Fri Nov 8 15:10:09 UTC 2013
I disagree. For the outset, the log operator responsibility has been to
gossip with other logs to ensure they aren't forked or in a bubble. The
CA's responsibility is to log the certificate in a trusted log. The browser
is responsible for determining the trustworthiness of the log. Each actor
has a role to play.
A log proof from the CA itself should be sufficient as the logs are supposed
to communicate with each other. A CA's log that is offline too long becomes
untrusted. Plus, I trust DigiCert's log server availability and integrity
way more than I trust anyone else's. If I'm hitting a couple of log
servers, I want them to be the servers I know won't go down or be untrusted.
-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Sigbjørn Vik
Sent: Friday, November 08, 2013 3:01 AM
To: public at cabforum.org
Subject: Re: [cabfpub] Upcoming changes to Google Chrome's certificate
handling
On 07-Nov-13 20:44, Jeremy Rowley wrote:
> 5) Size. We do not support Google’s recommendation for three
> separate time stamps. Two is sufficient to provide protection. In
> fact, I’d prefer to include only a single proof in each certificate.
> If you log a cert to multiple servers, you can include a new proof
> later on during re-issue, which minimizes concerns about log compromise.
> Regardless, I do not think Google should dictate the number of logs.
> Instead, each CA should individually evaluate the risks of a log
> compromise or unavailability and decide the number of proofs required.
There is an additional requirement I would like to see implemented on the
proofs, that at least one is issued by a log under a different jurisdiction
than the certificate. The threat scenario is a government agency telling CAs
"We want a certificate for this site and a forked log proving it.", then
deploying this in a closed network from where it will never leak.
A log proof from the CA itself should never be considered sufficient, as
this makes authoritarian misconduct much easier. A requirement for different
jurisdictions would also make life easier for CAs, as they don't have to
worry about government interference.
--
Sigbjørn Vik
Opera Software
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
More information about the Public
mailing list