That has little to do with distrusting a log. That's an argument for shorter-lived certificates in general.
To continue your analogy: If the certificate sets out on a two year journey with a passport, it might realize this is better than grabbing a utility bill and phone receipt. Why would it carry garbage when it already has something everyone accepts? Jeremy -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Adam Langley Sent: Tuesday, February 04, 2014 12:42 PM To: [email protected] Cc: therightkey; CABFPub Subject: Re: [cabfpub] Updated Certificate Transparency + Extended Validation plan On Tue, Feb 4, 2014 at 2:10 PM, Jeremy Rowley <[email protected]> wrote: > I do not think this is correct. The number of proofs actually increases as you decrease validity periods. Consider a certificate setting out on a journey. It always needs to have identity papers with it because the Browser Police are always on the lookout for unregistered certificates. However, the Browser Police sometimes decide that certain forms of ID are no longer acceptable and so a certificate needs to carry several forms of ID with it. If it's setting out on a one year journey it's wise to have two forms of ID because one might become distrusted over the year, but it's vanishingly unlikely that both would be. However, if our plucky certificate is setting out on a two year journey then it's wise to carry three forms of ID just in case two become useless while it's out in the world. The longer it'll be out, the more forms of id it should carry to ensure that one is always acceptable. Cheers AGL _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
