On 05/02/14 16:55, Paul Hoffman wrote:
On Feb 5, 2014, at 7:26 AM, Rob Stradling <rob.stradl...@comodo.com> wrote:
Table 1 and Footnote 4 seem a bit confused, wrongly implying that 39-month EV
certs do exist and/or that >39-month non-EV certs don't exist.
27 month EV SSL certificates shouldn't exist, as per the EV Guidelines.
60 month non-EV SSL certificates shouldn't have been issued by any CA since the
BRs came into effect.
39 month non-EV SSL certificates shouldn't be issued from 1st April 2015, as
per the BRs.
The above seems to be based in the belief that no one than CABForum members
issue certificates. It also seems to be based on the idea that no CABForum
member will ever not follow the current-at-the-time CABForum rules.
The CT work seems to be based on the idea that other CAs exist, and even that
CABForum members might not follow the CABForum rules. Those seem like good
assumptions to me.
Paul, there are 2 things going on here.
1. The IETF CT work (i.e. RFC6962) hasn't specified anything about
requiring multiple SCTs, and I doubt RFC6962-bis will change that. In
this context, other CAs do exist (both CABForum non-members and
non-publicly-trusted CAs).
2. The Chrome CT roll-out plan. In this context, CAs that don't adhere
to the BRs and EVGs are likely to find that their non-compliant certs
are rejected for other reasons. This is the context to which I was
speaking.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
therightkey mailing list
therightkey@ietf.org
https://www.ietf.org/mailman/listinfo/therightkey
