[cabfpub] Updated Certificate Transparency + Extended Validation plan

Ryan Sleevi sleevi at google.com
Tue Feb 4 11:08:25 MST 2014


One can also use OCSP Stapling or the TLS extension. OCSP stapling is
particularly useful for also dealing with the revocation status in a single
response.
On Feb 4, 2014 9:52 AM, "Adam Langley" <agl at chromium.org> wrote:

> On Tue, Feb 4, 2014 at 12:33 PM, Jeremy Rowley
> <jeremy.rowley at digicert.com> wrote:
> > Three or four proofs for a 27 month certificate is way too many.  The
> number of proofs should be decided based on the customer's risk profile,
> not a set number based on certificate lifecycle. Adding 400 bytes per
> certificate will make EV certificates unusable by entities concerned with
> performance.
>
> The customer doesn't carry the risk: the risk is that we'll be unable
> to revoke a log in clients due to the number of certificates that
> depend on it.
>
> We should make the SCTs as small as possible, the the switch to larger
> initcwnds in recent years has released much of the pressure on keeping
> certificate sizes below the tradition initcwnd limit.
>
>
> Cheers
>
> AGL
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20140204/bc247a51/attachment.html 


More information about the Public mailing list