[cabfpub] Updated Certificate Transparency + Extended Validation plan
Jeremy Rowley
jeremy.rowley at digicert.com
Tue Feb 4 20:37:44 UTC 2014
Doesn't that simply require the cert user to either start using OCSP with an
embedded certificate or getting a new certificate from the user? Plus,
under the current plan, the site doesn't go dark. Instead, their EV cert
isn't recognized as an EV certificate.
-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Adam Langley
Sent: Tuesday, February 04, 2014 1:32 PM
To: Jeremy Rowley
Cc: therightkey; certificate-transparency; CABFPub
Subject: Re: [cabfpub] Updated Certificate Transparency + Extended
Validation plan
On Tue, Feb 4, 2014 at 3:24 PM, Jeremy Rowley <jeremy.rowley at digicert.com>
wrote:
> What's wrong with rendering certificates invalid? Isn't the burden on
> the CA to ensure their customers are satisfied? If the CA wants to
> take the risk, let them. We'll make sure our customers 100% understand
> the risks when deciding how many proofs to embed.
But the burden of an invalid certificate significantly falls on
users/browsers, not just on the site. If distrusting a log causes 1% of the
Internet to go dark, we essentially cannot do it. It's because of these
externalities that we're seeking these assurances.
Cheers
AGL
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
More information about the Public
mailing list