Ah - I was wondering if you meant a time stamp in addition to a CT time stamp 
or whether CT logging would qualify. In that case, why not simply require all 
certs be logged with a CT? Is this simply a temporary step until CT is ready 
for a larger scale deployment?

> On Sep 23, 2016, at 3:52 AM, Peter Bowen <p...@amzn.com> wrote:
> 
> 
>> On Sep 22, 2016, at 4:29 PM, Ryan Sleevi <sle...@google.com> wrote:
>> 
>> 
>> 
>> On Thu, Sep 22, 2016 at 4:24 PM, Jeremy Rowley <jeremy.row...@digicert.com> 
>> wrote:
>> Sorry - jumped to conclusions early on when I saw the title...
>> 
>> Doesn't that make the cert bigger? Seems like a better solution to simply 
>> include an issuance time rather than another signed data structure. 
>> Companies already complain about cert size all the time.
>> 
>> Companies complain about _unnecessary_ cert size all the time (e.g. 
>> unnecessary CPS statements).
>> 
>> This has clear value for the ecosystem. And the cost is only borne in the 
>> backdating case.
> 
> And is only extra size if the cert is not already embedding a 
> cryptographically signed timestamp.  SCTs for Certificate Transparency are a 
> type of cryptographically signed timestamp, so any cert with them already has 
> what is needed.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Reply via email to