Fwd: [ct-policy] Understanding use-cases for SCTs delivered via OCSP stapling for TLS extension

[Pierre Phaneuf]

---------- Forwarded message ---------
From: Joe DeBlasio <jdeb...@chromium.org>
Date: Fri, 27 Jan 2023 at 23:31
Subject: [ct-policy] Understanding use-cases for SCTs delivered via OCSP stapling for TLS extension
To: Certificate Transparency Policy <ct-p...@chromium.org>

Hi ct-policy@,

Chrome is looking to better understand active use-cases of SCTs delivered via OCSP Stapling and/or TLS extension (i.e. not embedded in the certificate).

Though these mechanisms are included in RFC 6962, current use is extremely low. Supporting them contributes significant complexity to Chrome's certificate validation pipeline and CT processes.

If your, or your clients', processes necessitate the use of these mechanisms, we'd like to learn more! Replies to this post on-thread are great, but if you'd prefer, you can also reply to me directly.

Thanks,

Joe

--
You received this message because you are subscribed to the Google Groups "Certificate Transparency Policy" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ct-policy+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/ct-policy/CAFZs0S5CQ8_v7-Sb3oJo8SmUkkA9AM7pPj%2Bc4s4z5SX-euU9_w%40mail.gmail.com.

[Nick Sullivan]

Hi Joe,

We (Cloudflare) got this email a while back but have been delayed in formulating a response. We currently support SCT-in-TLS and automatically check certificates against all client policies so that we can make sure every connection to Cloudflare is SCT qualified for all clients. I'm including a short summary of our position here. Other team members may have some things to add.

This mechanism isn’t commonly used at the moment for many certificates, but it’s not intended for use in typical circumstances where policies are stable. The benefit of this mechanism is to help keep the PKI working on CT-validating browsers when policies change or diverge between multiple clients. We consider it a strong insurance policy for when clients disagree about CT policy or CAs are slow to update their SCT inclusion policies in response to client policiese. Two log disqualifications without a swift and immediate move from CAs to stop using them may result in a many certificates causing errors in browsers without SCT-in-TLS as a remediation mechanism.

It might be helpful to crawl through the CT Monitor data, and calculate how many certs would have to be reissued should Chrome proceed with dropping stapled SCT support. We currently have a “CT-Qualified Cert” status on https://ct.cloudflare.com/ that is supposed to show how many certs are accepted by Chrome CT policy, but it is not entirely accurate due to changes to the policy that have not been implemented yet.

Not having in-TLS SCTs as a backup puts the ecosystem at risk and gives us no way to remediate issues due to CAs not using the “right” SCTs at issuance — something that seems very likely. In our opinion, it would be a big setback.

Nick

On Thu, Feb 9, 2023 at 3:38 PM Joe DeBlasio <jdeb...@chromium.org> wrote:

Hi all,

Based on the response so far, we'll be investigating removing support for one or both of these SCT delivery mechanisms in Chrome.

This may be your last opportunity to influence our decision -- please reach out on thread or privately if you or your customers can't easily migrate to using SCTs embedded in the certificate, or if you think maintaining these delivery mechanisms are essential for other reasons.

Thanks!

Joe

You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/CAKMqHLgDihdsJEcaCZURDEzTYqmxvrVNuBbxXs5bSpAkNwiEHw%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Certificate Transparency Policy" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ct-policy+...@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/ct-policy/CAFZs0S79VG2gNtEunzPsZY8UXxV_q8Xz%3D5H%3DHTV5G7NtseJ21A%40mail.gmail.com.

[Joe DeBlasio]

---------- Forwarded message ---------
From: Joe DeBlasio <jdeb...@chromium.org>

Date: Thu, Feb 9, 2023 at 12:37 PM
Subject: Re: [ct-policy] Understanding use-cases for SCTs delivered via OCSP stapling for TLS extension
To: <certificate-...@googlegroups.com>, Certificate Transparency Policy <ct-p...@chromium.org>

Hi all,

Based on the response so far, we'll be investigating removing support for one or both of these SCT delivery mechanisms in Chrome.

This may be your last opportunity to influence our decision -- please reach out on thread or privately if you or your customers can't easily migrate to using SCTs embedded in the certificate, or if you think maintaining these delivery mechanisms are essential for other reasons.

Thanks!

Joe

On Mon, Jan 30, 2023 at 1:27 AM 'Pierre Phaneuf' via certificate-transparency <certificate-...@googlegroups.com> wrote:

You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/CAKMqHLgDihdsJEcaCZURDEzTYqmxvrVNuBbxXs5bSpAkNwiEHw%40mail.gmail.com.