[cabfpub] Updated Certificate Transparency + Extended Validation plan

Adam Langley agl at chromium.org
Wed Feb 5 17:49:21 UTC 2014

On Wed, Feb 5, 2014 at 12:26 PM, Rob Stradling <rob.stradling at comodo.com> wrote:
> Presumably it's somewhere between 10 and 31 days, since 1 SCT is acceptable
> for Stapled OCSP and the BRs permit OCSP Responses to be valid for up to 10
> days.

The speed at which we need to distrust a log depends on the minimum
number of SCTs actually, which is why allowing a single SCT in stapled
OCSP responses is such a large concession. If the minimum number of
SCTs were two then the pressure to distrust a log (and the pressure on
the logs) would be dramatically reduced because compromising one log
wouldn't be sufficient.

> Do you still think [1] is a good plan?

Sure, if any CAs are willing to do it now :)

> How about requiring only 1 SCT for certs with durations <= the maximum
> validity period for an OCSP Response?

I agree that, if we're going to allow one SCT for stapled OCSP
responses then we might as well allow one for 10 day certs.

However, the only case where ~100 bytes makes any different is if the
certificate chain is right on the edge of the initcwnd and the server
cannot (somehow?) set the initcwnd. I.e. it's gone cargo cult.



More information about the Public mailing list