On 29/10/12 11:06, Ben Laurie wrote:
On 29 October 2012 11:00, Rob Stradling <[email protected]> wrote:
<snip>
I don't have a strong opinion about this, but I think it might make sense to
split up the CT standardization effort into multiple documents, because
different audiences will be interested in different aspects of CT. i.e.
- One document aimed at the people who will implement and/or operate CT
log servers.
- One document aimed at CAs who will implement pre-certs and/or embed
proofs into OCSP Responses.
- One document aimed at browser authors who will write code to verify
proofs.
- One document aimed at webserver authors who will need to understand the
importance of implementing RFC5878 and/or OCSP Stapling (RFC6066).
- One document aimed at auditors who will need to know how to verify that
a CT log has not been compromised.
- One document aimed at domain owners who will need to know i) how to
discover if any certs have been misissued to their domain names and ii) what
to do about any detected misissuances.
TBH, I disagree - the reason being that almost all of these documents
will be identical (i.e. describing the cryptographic structure of the
log) and the only differences will be which parts of the protocol they
use - some of which will inevitably overlap. Right now the document is
lacking a few of these areas, but it is by no means unwieldy. I think
splitting across multiple documents will create a lot of pointless
duplication and effort.
OK, scrap that idea then. :-)
Given the imminent closure of the PKIX WG, I'm tempted to also suggest...
- One document that will define requirements for "Effective revocation
mechanisms".
Not against that at all, but it sounds like a different WG to me.
Maybe so.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
therightkey mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/therightkey
