On Sun, Jul 12, 2015 at 11:37:07PM -0400, Paul Wouters wrote:
> >DANE-EE(3) certs are often self-signed, and there's no way to
> >control the "spam" problem on the CT logs with DANE-EE(3).
>
> You don't know what audit logs will use for policies. Perhaps some
> audit logs will be dedicated to onl
On Mon, 13 Jul 2015, Viktor Dukhovni wrote:
CT auditors log EE-certs. Checking the CT logs also provides a way to
signal rogue EE-certs to the original webserver via a gossip/client
protocol. So I would not say Usage 3 should never check the CT logs.
DANE-EE(3) certs are often self-signed, and
On Sun, Jul 12, 2015 at 10:54:07PM -0400, Paul Wouters wrote:
> >>What are the valid reasons for performing th CT checks? If there are not
> >>any, why not make this requirement a "MUST NOT" instead?
>
> CT auditors log EE-certs. Checking the CT logs also provides a way to
> signal rogue EE-certs
On Sun, Jul 12, 2015 at 10:54:07PM -0400, Paul Wouters wrote:
> >>What are the valid reasons for performing th CT checks? If there are not
> >>any, why not make this requirement a "MUST NOT" instead?
>
> CT auditors log EE-certs. Checking the CT logs also provides a way to
> signal rogue EE-certs
On Sat, 11 Jul 2015, Viktor Dukhovni wrote:
* Section 4.8, page 8:
Therefore, when a TLS client
authenticates the TLS server via a TLSA record with usage DANE-EE(3),
CT checks SHOULD NOT be performed.
What are the valid reasons for performing th CT checks? If there are not
any, why not make t
