[cabfpub] Updated Certificate Transparency + Extended Validation plan

Jeremy Rowley jeremy.rowley at digicert.com
Wed Feb 5 16:32:36 UTC 2014

True - short lived certs are typically not EV certs, but, as pointed out,
the eventual plan is for all certs.  We might as well make it uniform now.  


Anyone use a short-lived cert must be able to easily replace existing
certificates.  That, combined with the relatively low number of
certificates, minimalizes the risk of a site going dark because of a
compromised log.  




From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of michal.proszkiewicz at unizeto.pl
Sent: Wednesday, February 05, 2014 9:20 AM
To: agl at chromium.org
Cc: therightkey at ietf.org; public-bounces at cabforum.org;
certificate-transparency at googlegroups.com; public at cabforum.org
Subject: Re: [cabfpub] Updated Certificate Transparency + Extended
Validation plan


If we are talking about EV certificates then probably there are not many
that are valid for a 1 month. 

It may be the case for other types of certificates. For example CERTUM issue
trusted test SSL certificates valid for 30 days (standard DV verification
procedures and DV certificate profile). 

>From the other hand we give our customer possibility to manually shorten
validity period to one day if they like (for every certificate type). 


Adam Langley <agl at chromium.org> 
Wysłane przez: public-bounces at cabforum.org 

2014-02-05 16:40 


certificate-transparency <certificate-transparency at googlegroups.com> 


"therightkey at ietf.org" <therightkey at ietf.org>, CABFPub <public at cabforum.org>


Re: [cabfpub] Updated Certificate Transparency + Extended        Validation



On Wed, Feb 5, 2014 at 10:26 AM, Rob Stradling <rob.stradling at comodo.com>
> Also, what happened to the idea of only requiring 1 SCT for a 1-month

I'm to blame for that.

Certificates with a single SCT put a lower bound on how quickly we can
distrust a log (at least without special measures, such as shipping
the whole, public log hashes to all the clients, which is probably
impractical.) Since I'm not aware of any CAs issuing one month certs,
and it only saves ~100 bytes vs 2 SCTs, it seemed to be something that
should be dropped.


Public mailing list
Public at cabforum.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140205/46aadc7d/attachment-0003.html>

More information about the Public mailing list