[cabfpub] Updated Certificate Transparency + Extended Validation plan

Ben Laurie benl at google.com
Sat Feb 8 13:32:16 UTC 2014


On 5 February 2014 18:21, Rob Stradling <rob.stradling at comodo.com> wrote:
> On 05/02/14 17:49, Adam Langley wrote:
>>
>> On Wed, Feb 5, 2014 at 12:26 PM, Rob Stradling <rob.stradling at comodo.com>
>> wrote:
>>>
>>> Presumably it's somewhere between 10 and 31 days, since 1 SCT is
>>> acceptable
>>> for Stapled OCSP and the BRs permit OCSP Responses to be valid for up to
>>> 10
>>> days.
>>
>>
>> The speed at which we need to distrust a log depends on the minimum
>> number of SCTs actually, which is why allowing a single SCT in stapled
>> OCSP responses is such a large concession. If the minimum number of
>> SCTs were two then the pressure to distrust a log (and the pressure on
>> the logs) would be dramatically reduced because compromising one log
>> wouldn't be sufficient.
>>
>>> Do you still think [1] is a good plan?
>>
>>
>> Sure, if any CAs are willing to do it now :)
>
>
> I think "servers could just download their refreshed certificate over HTTP
> periodically and automatically" is the showstopper at the moment. Yes they
> could, but I'm not aware of any server that actually implements such a
> feature.

Work is under way for Apache: https://github.com/trawick/ct-httpd/.



More information about the Public mailing list