[cabfpub] Updated Certificate Transparency + Extended Validation plan

Adam Langley agl at chromium.org
Tue Feb 4 19:05:00 UTC 2014


On Tue, Feb 4, 2014 at 1:58 PM, Doug Beattie
<doug.beattie at globalsign.com> wrote:
> The number of proofs should be related to the reputation of the CA, the number
> of years the CA has been in business

I think you're assuming that a larger number of proofs is designed to
catch possible malpractice on the part of the CA, but that's not it at
all.

The aim is to make sure that bad /logs/ can be distrusted. The major
obstacle to killing logs is that certificates depend on the proofs and
that, if we killed all the logs that a certificate was depending on,
the site in question might go dark. In order to make sure that logs
can be distrusted without blowback, the number of proofs increases as
the duration of the certificate does. Thus, even if we kill one log
every 12 months (which we certainly hope not to do!), longer lived
certificates would still be functional towards the end of their lives.


Cheers

AGL



More information about the Public mailing list