[cabfpub] CT discussion at CABF

[Rob Stradling]

On 21/02/14 09:35, Eddy Nigg (StartCom Ltd.) wrote:
>
> On 02/21/2014 05:46 AM, From Ryan Sleevi:
>> I want to avoid that situation, because it's clear you're unhappy, but
>> it's inevitable without more constructive feedback.
>>
>>     -Don’t rush into this, because we’re likely to make mistakes if we
>>     have to rush. Not just the CAs; there are a lot of moving parts
>>     here. I heard someone say “you can’t make fundamental changes to a
>>     complex trust system very quickly”.
>>
>> While I can appreciate a sentiment of "Don't rush", this is a very
>> vague sentiment that is not actionably concrete. What, for example,
>> constitutes a rush?
>
> For me it's when CT can be supported without the need of
> pre-certificates. The time it requires to update third party software is
> basically the right time.

Hi Eddy.  Please clarify what you mean by "to update".

There's a big difference between (1) a feature/update being available in 
the latest version of some third-party software and (2) that 
feature/update actually being deployed everywhere.

Getting the RFC6962 TLS Extension deployed everywhere will probably take 
years, if not decades.
Getting SCTs-in-Stapled-OCSP-Responses deployed everywhere should happen 
quicker than that, because deployment of OCSP Stapling has an N-year 
head start over deployment of the RFC6962 TLS Extension.  But, even 
then, it's still going to take N years.

The Precertificate option exists because N more years is simply too long 
to wait!

It's already been nearly quarter of a decade since the DigiNotar attack. 
  We should expect further attacks to occur.  We need to act with urgency.

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online