[cabfpub] Updated Certificate Transparency + ExtendedValidationplan

Rob Stradling rob.stradling at comodo.com
Fri Mar 6 08:46:06 MST 2015


Mat, I generated two more reports yesterday (see attached) that you 
might find interesting.

not_whitelisted.csv summarizes the number of EV certs without embedded 
SCTs that were issued before the end of 2014 but only logged since the 
beginning of 2015.  These certs did not make it into Chrome's EV 
whitelist and will therefore not be given EV treatment by Chrome once 
the EV/CT Plan takes effect (*).
The reasons for not whitelisting vary: some CAs apparently made little 
or no effort to whitelist any certs; some CAs may have deliberately not 
whitelisted certain EV certs at the request of their customers; it's 
possible that some CAs overlooked some certs; Comodo whitelisted all EV 
certs except those that had already been revoked.

not_embedded.csv summarizes the number of EV certs without embedded SCTs 
that have been issued since the beginning of 2015.  These certs will not 
be given EV treatment by Chrome once the EV/CT Plan takes effect (*).
I was surprised to see several of the larger EV cert issuers in this 
list, but perhaps they're deliberately not embedding SCTs in some EV 
certs at the request of their customers.

The following EV cert issuers have issued EV certs this year, none of 
which contain any embedded SCTs.  I think this might be the best way to 
measure which CAs are _not_ "on board" with CT.

StartCom
Cybertrust/Verizon
SECOM Trust
SwissSign
T-Systems
D-TRUST
TWCA
OPENTRUST
Camerfirma


(*) Unless the certificate holder's TLS server supports the RFC6962 
signed_certificate_timestamp TLS extension or OCSP Stapling (and the CA 
embeds SCTs into OCSP Responses).  Both of these possibilities are 
likely to be rare at the moment.

On 27/02/15 07:40, i-barreira at izenpe.net wrote:
> And for example, Izepe indicated that were not interested in running a log server, and we´re running one :-)
>
>
> Iñigo Barreira
> Responsable del Área técnica
> i-barreira at izenpe.net
> 945067705
>
>
> ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
> ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.
>
> -----Mensaje original-----
> De: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] En nombre de Rob Stradling
> Enviado el: viernes, 27 de febrero de 2015 5:18
> Para: Mat Caughron
> CC: therightkey at ietf.org; certificate-transparency at googlegroups.com; CABFPub
> Asunto: Re: [cabfpub] Updated Certificate Transparency + ExtendedValidationplan
>
> Good question, Mat.
>
> I've just generated a report (see attached) that shows, per issuing CA, the number of certs with embedded SCTs that have been logged in the currently existing CT logs so far.
>
> That is one measurement of which CAs are "on board", but it's not the full story.
>
> On 26/02/15 17:39, Mat Caughron wrote:
>> Hello Rob,
>>
>> So presumably, the survey if conducted now would indicate a few more
>> CA's on board than indicated here?
>> http://www.certificate-transparency.org/feb-2014-survey-responses
>>
>>
>>
>> Mat Caughron
>>  Product Security
>> mcaughron at appe.com <mailto:mcaughron at appe.com>
>>
>>
>>
>>> On Feb 26, 2015, at 2:24 PM, Rob Stradling <rob.stradling at comodo.com
>>> <mailto:rob.stradling at comodo.com>> wrote:
>>>
>>> On 26/02/15 17:15, Mat Caughron wrote:
>>>> Greetings:
>>>>
>>>> It has been one year, has this CT plan been updated at all?
>>>
>>> Hi Mat.
>>>
>>> Google's EV/CT Plan has been updated a couple of times since then.
>>>   See here:
>>> http://www.certificate-transparency.org/ev-ct-plan
>>>
>>>> Sincerely,
>>>>
>>>>
>>>> Mat Caughron
>>>>  Product Security
>>>>
>>>>
>>>>
>>>>> On Feb 4, 2014, at 9:08 AM, Ben Laurie <benl at google.com> wrote:
>>>>>
>>>>> Enclosed, our revised plan.
>>>>>
>>>>> Comments welcome.
>>>>> <EVCTPlanFeb2014edition.pdf>_______________________________________
>>>>> ________
>>>>> Public mailing list
>>>>> Public at cabforum.org
>>>>> https://cabforum.org/mailman/listinfo/public
>>>>
>>>
>>> --
>>> Rob Stradling
>>> Senior Research & Development Scientist COMODO - Creating Trust
>>> Online
>>
>
> --
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online
> Office Tel: +44.(0)1274.730505
> Office Fax: +44.(0)1274.730909
> www.comodo.com
>
> COMODO CA Limited, Registered in England No. 04058690 Registered Office:
>     3rd Floor, 26 Office Village, Exchange Quay,
>     Trafford Road, Salford, Manchester M5 3EQ
>
> This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.  If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by COMODO for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software.
>

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
   3rd Floor, 26 Office Village, Exchange Quay,
   Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they are 
addressed.  If you have received this email in error please notify the 
sender by replying to the e-mail containing this attachment. Replies to 
this email may be monitored by COMODO for operational or business 
reasons. Whilst every endeavour is taken to ensure that e-mails are free 
from viruses, no liability can be accepted and the recipient is 
requested to use their own virus checking software.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not_whitelisted.csv
Type: text/csv
Size: 3949 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20150306/a001a1d8/attachment-0002.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not_embedded.csv
Type: text/csv
Size: 3071 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20150306/a001a1d8/attachment-0003.bin 


More information about the Public mailing list