[cabfpub] Upcoming changes to Google Chrome's certificate handling

Jeremy Rowley jeremy.rowley at digicert.com
Fri Nov 8 15:20:04 UTC 2013


Right now, Google trusts Google's pilot log, although that trust is not
deployed in the widely distributed version of the browser. Still, someone
has to move the ball forward and start logging their certs. We keep running
into the chicken and the egg problem in this industry, and I'd like to break
that cycle. Hopefully, our early adoption will inspire others to do
likewise, and help Google decide to require logging for all certificates at
the outset, instead of just EV. 

I realize Google's plan is to turn on CT for all certificates, but I oppose
using EV as a testbed for projects.  The practice of using EV as a testbed
for improvements will damage EV's reputation and make it less desirable to
customers.  No one wants to use test certs on their live servers.

Although Google may not trust it's pilot log later, we hope it will trust
the DigiCert log at that time.  Since the DigiCert log will contain the same
DigiCert certs as sent to the Google log, there won't be a lapse in CT
coverage.  I consider Google's future removal of its pilot log as a test
case of what happens when a log is compromised.   

Jeremy


-----Original Message-----
From: Rob Stradling [mailto:rob.stradling at comodo.com] 
Sent: Friday, November 08, 2013 4:22 AM
To: Jeremy Rowley; public at cabforum.org
Subject: Re: [cabfpub] Upcoming changes to Google Chrome's certificate
handling

On 07/11/13 19:44, Jeremy Rowley wrote:
> Although we appreciate Rick's and Erwann's points (and agree with a 
> few of them), DigiCert still strongly supports CT.  Speaking from 
> experience (as we already make CT available to customers),

Jeremy, I'm curious, how exactly do you "make CT available to customers" 
already, in any meaningful way?

No browsers trust any CT logs yet.

AFAIK, Google's Pilot CT Log won't necessarily become one of the Production
CT Logs that will be trusted by CT-enabled Chrome.

<snip>
> 10)Mandate.   We believe Google should require CT for all certs, not
> just EV.

So do Google.

"Once we have gained experience with EV certificates we will publish a plan
to bring CT to all certificates."

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online





More information about the Public mailing list