[cabfpub] [therightkey] Updated Certificate Transparency + Extended Validation plan

Ryan Sleevi sleevi at google.com
Wed Feb 5 01:55:45 UTC 2014


On Tue, Feb 4, 2014 at 5:47 PM, Wayne Thayer <wthayer at godaddy.com> wrote:

> I'm somewhat confused by the following two points:
>
> >>5. By July 2014 all EV certificates with validity periods beyond [July
> >>2014] should be logged in
> at least [one] qualifying log (see below).
> >>6. On 1 Jan 2015 Chrome will create a whitelist of valid EV certificates
> >>already issued without
> an embedded SCT [issued by CAs participating in CT] from all qualifying
> logs.
>
> If EV certificates issued prior to 1 Jan 2015 will be whitelisted, what is
> the purpose of point #5?
>
> Also, regarding point #7, I understand if it¹s not practical to distribute
> a large whitelist to mobile platforms, but IMO retroactively removing the
> EV indicator from existing certs rather than letting them naturally expire
> before enforcing CT on mobile platforms creates a bad EV experience in
> return for little additional transparency & security.
>
> Thanks,
>
> Wayne
>
>
Hi Wayne,

Considering we already do not indicate EV on Android, nor have we ever, I
don't think this perceived loss of functionality is as significant as you
may believe.

Further, considering the very real and distinct performance characteristics
of mobile (radio warmups, RTTs, initcwnds), the idea of fetching OCSP, or,
worse, CRLs - especially when some CAs have CRLs that are quite large (20+
MB) - in order to assure the EV display is... non-ideal. So again, the EV
indicator on mobile is not as strong or as present as it may be on desktop
platforms.


> -----Original Message-----
> From: therightkey [mailto:therightkey-bounces at ietf.org] On Behalf Of Ben
> Laurie
> Sent: Tuesday, February 04, 2014 10:08 AM
> To: CABFPub; certificate-transparency at googlegroups.com;
> therightkey at ietf.org
> Subject: [therightkey] Updated Certificate Transparency + Extended
> Validation plan
>
> Enclosed, our revised plan.
>
> Comments welcome.
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140204/2ab34dd9/attachment-0003.html>


More information about the Public mailing list