On 26/10/12 00:58, Rick Andrews wrote:
<snip>
AFAICT, for CT to really work it will require participation from every CA whose
roots are in browsers. I think you're underestimating how hard it will be to
achieve that.
Rick,
Ultimately, assuming the RFC5878 TLS extension gains widespread support
in server and client software, CT won't _require_ participation from any
CA. Each certificate holder will be able to configure their server to
send their certificate's CT proof to each client.
But with participation from the CAs, it should be possible to realize
the CT dream far sooner. And (even in a future world where RFC5878 is
supported everywhere) if the CA takes care of CT proof distribution,
then that makes life easier for the certificate holder.
Further, no one has yet brought up the privacy issue. CAs sell a lot of
certificates to companies for their internal use. Some of them may object to
publishing all their internal domain names.
This has been a concern for Comodo too, so I spoke to AGL about it a few
weeks ago. AIUI, the plan is that CT clients will have a
user-configurable whitelist (empty by default) of domain names for which
CT proofs will not be required. Participating CAs should allow
customers to opt-out from having their certs automatically logged with CT.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
therightkey mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/therightkey
