[cabfpub] Updated Certificate Transparency + Extended Validation plan
Rob Stradling
rob.stradling at comodo.com
Thu Feb 13 11:23:34 UTC 2014
On 13/02/14 00:11, Jeremy Rowley wrote:
> So far no struggles. PKI tree looks fine.
Same here.
FWIW, the PKI-related and ASN.1-related code changes were the easy part
for me. It actually took me much, much longer to get my head around
cURL's "multi interface" and implement the scattergun approach to
logging certs and obtaining SCTs...
http://www.certificate-transparency.org/faq (emphasis mine)
"Will there be a limit on the number of trusted CT logs? Or will every
CA that wants to run a trusted CT log be able to do so?
Increasing the number of CT logs increases the cost of monitoring for
domains and auditors but we think “every major CA” is within limits of
feasibility. However, CAs should protect themselves against collateral
damage by also logging with third-party CT logs. *High performance can
be achieved by sending parallel requests* to all commonly trusted CT
logs and embedding the first n SCT responses."
> Jeremy
>
> *From:*public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> *On Behalf Of *Eddy Nigg (StartCom Ltd.)
> *Sent:* Wednesday, February 12, 2014 3:40 PM
> *To:* public at cabforum.org
> *Subject:* Re: [cabfpub] Updated Certificate Transparency + Extended
> Validation plan
>
>
> On 02/10/2014 06:28 PM, From Chema López González:
>
> Have anyone take into account the current position of EJBCA
> <http://blog.ejbca.org/2013/09/certificate-transparency-and.html>, a
> mayor player in this stuff of digital certificates?
>
>
> And I want to see how CAs will struggle when they issue one thing
> initially as a pre-certificate and then place something else into the
> actual certificate and mess with their entire infrastructure maintaining
> multiple PKI trees. Or will poke holes the size of a football field into
> their infrastructure in order to get the desired result. And eventually
> simply drop pre-certificates entirely. That's in the best case, it the
> worse case they either got hacked at some point or messed up their PKI
> trees with who issued what when at which time and to whom...good luck
> with that.
>
> Regards
>
> Signer:
>
>
>
> Eddy Nigg, COO/CTO
>
>
>
> StartCom Ltd. <http://www.startcom.org>
>
> XMPP:
>
>
>
> startcom at startcom.org <xmpp:startcom at startcom.org>
>
> Blog:
>
>
>
> Join the Revolution! <http://blog.startcom.org>
>
> Twitter:
>
>
>
> Follow Me <http://twitter.com/eddy_nigg>
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ
This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.
More information about the Public
mailing list