[cabfpub] Upcoming changes to Google Chrome's certificate handling

i-barreira at izenpe.net i-barreira at izenpe.net
Mon Nov 11 07:55:00 UTC 2013

We´re going live with the CT as well, but as said, only for EVs. We think that turning into CT for all certificates can have some issues with the data protection law, for example, for those qualified certificates issued to natural or legal persons. We´re studying if the logs sent to Google (in this particular case) can affect this organic law. At the moment, for SSL certs we don´t see any issue.

Iñigo Barreira
Responsable del Área técnica
i-barreira at izenpe.net

ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.

-----Mensaje original-----
De: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] En nombre de Jeremy Rowley
Enviado el: viernes, 08 de noviembre de 2013 16:20
Para: 'Rob Stradling'; public at cabforum.org
Asunto: Re: [cabfpub] Upcoming changes to Google Chrome's certificate handling

Right now, Google trusts Google's pilot log, although that trust is not deployed in the widely distributed version of the browser. Still, someone has to move the ball forward and start logging their certs. We keep running into the chicken and the egg problem in this industry, and I'd like to break that cycle. Hopefully, our early adoption will inspire others to do likewise, and help Google decide to require logging for all certificates at the outset, instead of just EV. 

I realize Google's plan is to turn on CT for all certificates, but I oppose using EV as a testbed for projects.  The practice of using EV as a testbed for improvements will damage EV's reputation and make it less desirable to customers.  No one wants to use test certs on their live servers.

Although Google may not trust it's pilot log later, we hope it will trust the DigiCert log at that time.  Since the DigiCert log will contain the same DigiCert certs as sent to the Google log, there won't be a lapse in CT coverage.  I consider Google's future removal of its pilot log as a test
case of what happens when a log is compromised.   


-----Original Message-----
From: Rob Stradling [mailto:rob.stradling at comodo.com]
Sent: Friday, November 08, 2013 4:22 AM
To: Jeremy Rowley; public at cabforum.org
Subject: Re: [cabfpub] Upcoming changes to Google Chrome's certificate handling

On 07/11/13 19:44, Jeremy Rowley wrote:
> Although we appreciate Rick's and Erwann's points (and agree with a 
> few of them), DigiCert still strongly supports CT.  Speaking from 
> experience (as we already make CT available to customers),

Jeremy, I'm curious, how exactly do you "make CT available to customers" 
already, in any meaningful way?

No browsers trust any CT logs yet.

AFAIK, Google's Pilot CT Log won't necessarily become one of the Production CT Logs that will be trusted by CT-enabled Chrome.

> 10)Mandate.   We believe Google should require CT for all certs, not
> just EV.

So do Google.

"Once we have gained experience with EV certificates we will publish a plan to bring CT to all certificates."

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

Public mailing list
Public at cabforum.org

More information about the Public mailing list