On Nov 1, 2012, at 2:10 AM, Ben Laurie <b...@google.com> wrote:

> Its only software. The process of participating in CT for a server operator 
> is:
> 1. Run command line tool once, giving it your certificate as input and
> an SCT file as output.
> 2. Add one line of configuration to your server config.
> Not exactly rocket science. If people _really_ find it hard, we could
> build it into the servers so there was no manual step at all.

As someone who has to trust every CA in the root pile in my browsers and OSs, I 
find it frightening that a CA who can say "this is your bank's certificate" 
cannot handle new requirements for how to say that. If adopting a simple 
protocol like this causes an ossified CA too many problems, maybe I don't trust 
that CA to be able to issue certificates for my bank, much less to be able to 
know which certificates that they are actually issuing.

--Paul Hoffman
therightkey mailing list

Reply via email to