[cabfpub] Updated Certificate Transparency + Extended Validation plan

Jeremy Rowley jeremy.rowley at digicert.com
Tue Feb 4 20:10:41 UTC 2014

That has little to do with distrusting a log.  That's an argument for
shorter-lived certificates in general.  

To continue your analogy: 

If the certificate sets out on a two year journey with a passport, it might
realize this is better than grabbing a utility bill and phone receipt.  Why
would it carry garbage when it already has something everyone accepts?


-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Adam Langley
Sent: Tuesday, February 04, 2014 12:42 PM
To: certificate-transparency at googlegroups.com
Cc: therightkey; CABFPub
Subject: Re: [cabfpub] Updated Certificate Transparency + Extended
Validation plan

On Tue, Feb 4, 2014 at 2:10 PM, Jeremy Rowley <jeremy.rowley at digicert.com>
> I do not think this is correct.  The number of proofs actually increases
as you decrease validity periods.

Consider a certificate setting out on a journey. It always needs to have
identity papers with it because the Browser Police are always on the lookout
for unregistered certificates. However, the Browser Police sometimes decide
that certain forms of ID are no longer acceptable and so a certificate needs
to carry several forms of ID with it. If it's setting out on a one year
journey it's wise to have two forms of ID because one might become
distrusted over the year, but it's vanishingly unlikely that both would be.

However, if our plucky certificate is setting out on a two year journey then
it's wise to carry three forms of ID just in case two become useless while
it's out in the world. The longer it'll be out, the more forms of id it
should carry to ensure that one is always acceptable.


Public mailing list
Public at cabforum.org

More information about the Public mailing list