Ah - I was wondering if you meant a time stamp in addition to a CT time stamp or whether CT logging would qualify. In that case, why not simply require all certs be logged with a CT? Is this simply a temporary step until CT is ready for a larger scale deployment?
> On Sep 23, 2016, at 3:52 AM, Peter Bowen <p...@amzn.com> wrote: > > >> On Sep 22, 2016, at 4:29 PM, Ryan Sleevi <sle...@google.com> wrote: >> >> >> >> On Thu, Sep 22, 2016 at 4:24 PM, Jeremy Rowley <jeremy.row...@digicert.com> >> wrote: >> Sorry - jumped to conclusions early on when I saw the title... >> >> Doesn't that make the cert bigger? Seems like a better solution to simply >> include an issuance time rather than another signed data structure. >> Companies already complain about cert size all the time. >> >> Companies complain about _unnecessary_ cert size all the time (e.g. >> unnecessary CPS statements). >> >> This has clear value for the ecosystem. And the cost is only borne in the >> backdating case. > > And is only extra size if the cert is not already embedding a > cryptographically signed timestamp. SCTs for Certificate Transparency are a > type of cryptographically signed timestamp, so any cert with them already has > what is needed.
Description: S/MIME cryptographic signature
_______________________________________________ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public