Is the DNS scheme in Certificate Transparency v2 <http://www.links.org/?p=1259> scalable?
It mentions TXT records such as: <signed-cert-hash>.hash.example.net <cert-index>.<level>.<tree-size>.tree.example.net Sticking with the sample size in the spec of 1.3 million certificates, means there would be 1.3 million DNS entries immediately below .hash.example.net and the same number immediately below .0.1300000.tree.example.net. That is much smaller than the 100 million entries immediately below .com so it is possible, though it might require more heroics than should be necessary. <tree-size> is 1300000 in the example. I assume this increments for every certificate logged. This seems to implies you need a whole new DNS tree .1300001.tree.example.net (with ~8.5e11 <cert-index>.<level> sub-entries) when the next certificate is issued! I guess you can synthetically create them on-demand, but that does seem to destroy caching etc. A DNS scheme that doesn't use <tree-size> as a DNS label (the tree size is still known from the Signed Tree Head), and only publishes the stable parts of the Merkle tree (with stable names) should be possible. -- James Manger > -----Original Message----- > From: [email protected] [mailto:therightkey- > [email protected]] On Behalf Of Ben Laurie > Sent: Wednesday, 1 August 2012 8:13 AM > To: [email protected] > Subject: [therightkey] Certificate Transparency Version 2 > > Many CAs were dismayed by the time it took to issue a "log proof". It > was also quite a bad name. > > So, in v2 we reduce issuance time to (effectively) zero. > > As always, comments please. _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
