[cabfpub] Updated Certificate Transparency + Extended Validation plan

Ben Laurie benl at google.com
Tue Feb 4 13:54:13 MST 2014


On 4 February 2014 20:50, Adam Langley <agl at chromium.org> wrote:
> On Tue, Feb 4, 2014 at 3:37 PM, Jeremy Rowley
> <jeremy.rowley at digicert.com> wrote:
>> Doesn't that simply require the cert user to either start using OCSP with an
>> embedded certificate or getting a new certificate from the user?
>
> If the certificate was used with OCSP stapling, the CA had a
> reasonably short OCSP validity window and the CA could update the SCT
> in the OCSP response quickly then that would solve the problem.
>
> However, for the purposes of this spec I don't think we said anything
> about that because of the complexity. Having multiple SCTs is clearly
> ok and that kept things simple.

Actually, we do. For the TLS extension and OCSP stapling a single SCT
is allowed.


More information about the Public mailing list