[cabfpub] Updated Certificate Transparency + Extended Validation plan

Adam Langley agl at chromium.org
Tue Feb 4 13:50:33 MST 2014


On Tue, Feb 4, 2014 at 3:37 PM, Jeremy Rowley
<jeremy.rowley at digicert.com> wrote:
> Doesn't that simply require the cert user to either start using OCSP with an
> embedded certificate or getting a new certificate from the user?

If the certificate was used with OCSP stapling, the CA had a
reasonably short OCSP validity window and the CA could update the SCT
in the OCSP response quickly then that would solve the problem.

However, for the purposes of this spec I don't think we said anything
about that because of the complexity. Having multiple SCTs is clearly
ok and that kept things simple.

> Plus, under the current plan, the site doesn't go dark. Instead, their EV cert isn't recognized as an EV certificate.

For EV certificates the problem is greatly reduced. But EV
certificates are just a trial for doing it universally and we have the
end state in mind.


Cheers

AGL


More information about the Public mailing list