Doesn't that simply require the cert user to either start using OCSP with an embedded certificate or getting a new certificate from the user? Plus, under the current plan, the site doesn't go dark. Instead, their EV cert isn't recognized as an EV certificate.
-----Original Message----- From: public-boun...@cabforum.org [mailto:public-boun...@cabforum.org] On Behalf Of Adam Langley Sent: Tuesday, February 04, 2014 1:32 PM To: Jeremy Rowley Cc: therightkey; certificate-transparency; CABFPub Subject: Re: [cabfpub] Updated Certificate Transparency + Extended Validation plan On Tue, Feb 4, 2014 at 3:24 PM, Jeremy Rowley <jeremy.row...@digicert.com> wrote: > What's wrong with rendering certificates invalid? Isn't the burden on > the CA to ensure their customers are satisfied? If the CA wants to > take the risk, let them. We'll make sure our customers 100% understand > the risks when deciding how many proofs to embed. But the burden of an invalid certificate significantly falls on users/browsers, not just on the site. If distrusting a log causes 1% of the Internet to go dark, we essentially cannot do it. It's because of these externalities that we're seeking these assurances. Cheers AGL _______________________________________________ Public mailing list pub...@cabforum.org https://cabforum.org/mailman/listinfo/public _______________________________________________ therightkey mailing list therightkey@ietf.org https://www.ietf.org/mailman/listinfo/therightkey
