[cabfpub] Upcoming changes to Google Chrome's certificate handling

Rob Stradling rob.stradling at comodo.com
Fri Nov 8 23:05:58 UTC 2013

On 08/11/13 15:20, Jeremy Rowley wrote:
> Right now, Google trusts Google's pilot log, although that trust is not
> deployed in the widely distributed version of the browser. Still, someone
> has to move the ball forward and start logging their certs. We keep running
> into the chicken and the egg problem in this industry, and I'd like to break
> that cycle. Hopefully, our early adoption will inspire others to do
> likewise,

Personally, I hope so too.

> and help Google decide to require logging for all certificates at
> the outset, instead of just EV.
> I realize Google's plan is to turn on CT for all certificates, but I oppose
> using EV as a testbed for projects.  The practice of using EV as a testbed
> for improvements will damage EV's reputation and make it less desirable to
> customers.  No one wants to use test certs on their live servers.

I understand what you're saying, but I think that if something goes 
seriously wrong during the "testbed" phase, I'd rather the outcome was 
the loss of the green bar rather than all Chrome clients rejecting all 
SSL/TLS connections!

> Although Google may not trust it's pilot log later, we hope it will trust
> the DigiCert log at that time.  Since the DigiCert log will contain the same
> DigiCert certs as sent to the Google log, there won't be a lapse in CT
> coverage.  I consider Google's future removal of its pilot log as a test
> case of what happens when a log is compromised.

Is the DigiCert CT Log publicly accessible?  If so, what's the URL?


> Jeremy
> -----Original Message-----
> From: Rob Stradling [mailto:rob.stradling at comodo.com]
> Sent: Friday, November 08, 2013 4:22 AM
> To: Jeremy Rowley; public at cabforum.org
> Subject: Re: [cabfpub] Upcoming changes to Google Chrome's certificate
> handling
> On 07/11/13 19:44, Jeremy Rowley wrote:
>> Although we appreciate Rick's and Erwann's points (and agree with a
>> few of them), DigiCert still strongly supports CT.  Speaking from
>> experience (as we already make CT available to customers),
> Jeremy, I'm curious, how exactly do you "make CT available to customers"
> already, in any meaningful way?
> No browsers trust any CT logs yet.
> AFAIK, Google's Pilot CT Log won't necessarily become one of the Production
> CT Logs that will be trusted by CT-enabled Chrome.
> <snip>
>> 10)Mandate.   We believe Google should require CT for all certs, not
>> just EV.
> So do Google.
> "Once we have gained experience with EV certificates we will publish a plan
> to bring CT to all certificates."
> --
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
   3rd Floor, 26 Office Village, Exchange Quay,
   Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they are 
addressed.  If you have received this email in error please notify the 
sender by replying to the e-mail containing this attachment. Replies to 
this email may be monitored by COMODO for operational or business 
reasons. Whilst every endeavour is taken to ensure that e-mails are free 
from viruses, no liability can be accepted and the recipient is 
requested to use their own virus checking software.

More information about the Public mailing list