[cabfpub] Updated Certificate Transparency + Extended Validation plan

Jeremy Rowley jeremy.rowley at digicert.com
Tue Feb 4 20:37:44 UTC 2014

Doesn't that simply require the cert user to either start using OCSP with an
embedded certificate or getting a new certificate from the user?  Plus,
under the current plan, the site doesn't go dark. Instead, their EV cert
isn't recognized as an EV certificate.

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Adam Langley
Sent: Tuesday, February 04, 2014 1:32 PM
To: Jeremy Rowley
Cc: therightkey; certificate-transparency; CABFPub
Subject: Re: [cabfpub] Updated Certificate Transparency + Extended
Validation plan

On Tue, Feb 4, 2014 at 3:24 PM, Jeremy Rowley <jeremy.rowley at digicert.com>
> What's wrong with rendering certificates invalid?  Isn't the burden on 
> the CA to ensure their customers are satisfied?  If the CA wants to 
> take the risk, let them. We'll make sure our customers 100% understand 
> the risks when deciding how many proofs to embed.

But the burden of an invalid certificate significantly falls on
users/browsers, not just on the site. If distrusting a log causes 1% of the
Internet to go dark, we essentially cannot do it. It's because of these
externalities that we're seeking these assurances.


Public mailing list
Public at cabforum.org

More information about the Public mailing list