On 20/07/16 13:07, Tom Ritter wrote:
On 20 July 2016 at 04:51, Yaron Sheffer <[email protected]> wrote:
4. Option 1 looks to the ACME server as a normal cert request, and
therefore will swamp the CT logs with lots of short-term certs. With
Option 2, we can log to CT the issuance of the delegation ticket instead
of the actual certificates.
I think the CT community would strongly oppose this notion (I know I
would.) As a domain owner, I want to know what certificates are
issued for me - that is the purpose of CT. Logging a delegation ticket
does not accomplish this. An attacker who compromises the delegation
ticket has free reign and I would never know.
Maybe there is a way to make this possible, similar to redacted
certificates, but since implementors of CT can't agree on a good way
to make redaction work functionally, it seems unlikely this would be
adopted by CT in the short order.
-tom
Hi Tom,
As far as I understand CT, it is mostly about protecting the rightful
domain owner from other people issuing their certs for their domains,
using other CAs. In this case, the delegation ticket is restricted to a
single CA and so this cannot happen.
BTW, we could associate the delegation ticket with a private key on the
TLS server which would make it harder to compromise the ticket.
Thanks,
Yaron
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
