[cabfpub] Updated Certificate Transparency + Extended Validation plan

Jeremy Rowley jeremy.rowley at digicert.com
Tue Feb 4 20:37:44 UTC 2014


Doesn't that simply require the cert user to either start using OCSP with an
embedded certificate or getting a new certificate from the user?  Plus,
under the current plan, the site doesn't go dark. Instead, their EV cert
isn't recognized as an EV certificate.

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Adam Langley
Sent: Tuesday, February 04, 2014 1:32 PM
To: Jeremy Rowley
Cc: therightkey; certificate-transparency; CABFPub
Subject: Re: [cabfpub] Updated Certificate Transparency + Extended
Validation plan

On Tue, Feb 4, 2014 at 3:24 PM, Jeremy Rowley <jeremy.rowley at digicert.com>
wrote:
> What's wrong with rendering certificates invalid?  Isn't the burden on 
> the CA to ensure their customers are satisfied?  If the CA wants to 
> take the risk, let them. We'll make sure our customers 100% understand 
> the risks when deciding how many proofs to embed.

But the burden of an invalid certificate significantly falls on
users/browsers, not just on the site. If distrusting a log causes 1% of the
Internet to go dark, we essentially cannot do it. It's because of these
externalities that we're seeking these assurances.


Cheers

AGL
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public




More information about the Public mailing list