[cabfpub] [therightkey] Updated Certificate Transparency + Extended Validation plan
Rob Stradling
rob.stradling at comodo.com
Wed Feb 5 17:48:02 UTC 2014
On 05/02/14 16:55, Paul Hoffman wrote:
> On Feb 5, 2014, at 7:26 AM, Rob Stradling <rob.stradling at comodo.com> wrote:
>
>> Table 1 and Footnote 4 seem a bit confused, wrongly implying that 39-month EV certs do exist and/or that >39-month non-EV certs don't exist.
>>
>>> 27 month EV SSL certificates shouldn't exist, as per the EV Guidelines.
>>
>>> 60 month non-EV SSL certificates shouldn't have been issued by any CA since the BRs came into effect.
>>
>>> 39 month non-EV SSL certificates shouldn't be issued from 1st April 2015, as per the BRs.
>
> The above seems to be based in the belief that no one than CABForum members issue certificates. It also seems to be based on the idea that no CABForum member will ever not follow the current-at-the-time CABForum rules.
>
> The CT work seems to be based on the idea that other CAs exist, and even that CABForum members might not follow the CABForum rules. Those seem like good assumptions to me.
Paul, there are 2 things going on here.
1. The IETF CT work (i.e. RFC6962) hasn't specified anything about
requiring multiple SCTs, and I doubt RFC6962-bis will change that. In
this context, other CAs do exist (both CABForum non-members and
non-publicly-trusted CAs).
2. The Chrome CT roll-out plan. In this context, CAs that don't adhere
to the BRs and EVGs are likely to find that their non-compliant certs
are rejected for other reasons. This is the context to which I was
speaking.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list