On Tuesday, June 9, 2015 at 12:23:57 PM UTC-7, Kurt Roeckx wrote: > On Tue, Jun 09, 2015 at 12:00:23PM -0700, Rick Andrews wrote: > > On Tuesday, June 9, 2015 at 7:45:05 AM UTC-7, Kurt Roeckx wrote: > > > On 2015-06-09 15:26, Peter Kurrasch wrote: > > > > 3) How frequently might such tools run? Or to put it differently, how > > > > much time do I probably have between when I issue a gmail cert and when > > > > someone figures it out (and of course how much longer before my > > > > illegitimate cert is no longer valid)? I need only 24 hours to do all > > > > the damage I want, but in a pinch I'll make do with 8. > > > > > > CT allows to store precertificate. That is, the CA says it intents to > > > issue a certificate. Should we mandate the use of precertificates and a > > > minimum time between the precertificate and the real certificate? > > > > > > > > > Kurt > > > > Absolutely not. If a CA is unable to get the required minimum number of > > SCTs, it will likely not issue the cert (sure, it may retry, but it's > > possible that retries fail too). Logging must be seen as intent, but not a > > guarantee of issuance. > > I'm not sure I understand what you're saying. > > First, I don't understand your thing about a minimum number of > STCs. I wasn't talking about a minimum amount of SCTs between > them. The signed certificate timestamp (SCT) has, as the name > implies, a timestamp. I'm saying that we could require a minimum > time between the timestamp from the precertificate and the > certificate. > > I also didn't say anything about guaranteeing issuance. The > whole point is that we could detect that a wrong one could be > issued and that we can avoid the issuance. > > > Kurt
I should have been more clear. I'm talking about Google's current requirement for CAs to adhere to RFC6962 for all EV certs. Google's policy specifies minimum numbers of SCTs based on the validity period of the cert. So CAs currently have to gather 3 SCTs for a 27-month EV cert. If CAs issue an EV cert with fewer than the minimum number of SCTs mandated by Google, Chrome will not display the EV treatment for that cert. So CAs are incentivized to add the required minimum number of SCTs to each EV cert, and not issue any EV cert with fewer than the minimum number of SCTs if the customer expects to see the EV treatment for their site. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
