[cabfpub] CT discussion at CABF
rob.stradling at comodo.com
Fri Feb 21 10:55:01 UTC 2014
On 21/02/14 09:35, Eddy Nigg (StartCom Ltd.) wrote:
> On 02/21/2014 05:46 AM, From Ryan Sleevi:
>> I want to avoid that situation, because it's clear you're unhappy, but
>> it's inevitable without more constructive feedback.
>> -Don’t rush into this, because we’re likely to make mistakes if we
>> have to rush. Not just the CAs; there are a lot of moving parts
>> here. I heard someone say “you can’t make fundamental changes to a
>> complex trust system very quickly”.
>> While I can appreciate a sentiment of "Don't rush", this is a very
>> vague sentiment that is not actionably concrete. What, for example,
>> constitutes a rush?
> For me it's when CT can be supported without the need of
> pre-certificates. The time it requires to update third party software is
> basically the right time.
Hi Eddy. Please clarify what you mean by "to update".
There's a big difference between (1) a feature/update being available in
the latest version of some third-party software and (2) that
feature/update actually being deployed everywhere.
Getting the RFC6962 TLS Extension deployed everywhere will probably take
years, if not decades.
Getting SCTs-in-Stapled-OCSP-Responses deployed everywhere should happen
quicker than that, because deployment of OCSP Stapling has an N-year
head start over deployment of the RFC6962 TLS Extension. But, even
then, it's still going to take N years.
The Precertificate option exists because N more years is simply too long
It's already been nearly quarter of a decade since the DigiNotar attack.
We should expect further attacks to occur. We need to act with urgency.
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public