On 09/06/2012 03:55 PM, [email protected] wrote:
Part of the stated objective (i.e. verify the issuance of public
X.509 certificates) is currently addressed, within the context of OCSP, in :
https://datatracker.ietf.org/doc/draft-pinkas-2560bis-certinfo/
This draft is being considered within the PKIX WG.
Denis,
IIUC, your draft allows an OCSP client to ask a CA "Have you issued a
certificate with this particular serial number?"
That's not the question that users, domain owners and auditors will want
to ask of Certificate Transparency.
For example, domain owners will want to ask "What certificates have been
issued, by any/every CA in the world, for my domain name?" This is
clearly out of scope for OCSP.
The second part of the objective (i.e. making all public issued
certificates available to applications) may be dangerous in many situations.
Can you give specific examples?
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
therightkey mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/therightkey
