On Thu, 1 Nov 2012, Phillip Hallam-Baker wrote:
This is about barely capable sysadmins.
I'm a barely capable sysadmin and the steps Ben outlined seem both
reasonable and do-able to me. I also like the option to build it into the
server where smart hands can build it into the default options for
configuration -
- Lucy
Different problem.
On Thu, Nov 1, 2012 at 11:14 AM, Paul Hoffman <paul.hoff...@vpnc.org> wrote:
On Nov 1, 2012, at 2:10 AM, Ben Laurie <b...@google.com> wrote:
Its only software. The process of participating in CT for a server
operator is:
1. Run command line tool once, giving it your certificate as input and
an SCT file as output.
2. Add one line of configuration to your server config.
Not exactly rocket science. If people _really_ find it hard, we could
build it into the servers so there was no manual step at all.
As someone who has to trust every CA in the root pile in my browsers and
OSs, I find it frightening that a CA who can say "this is your bank's
certificate" cannot handle new requirements for how to say that. If
adopting a simple protocol like this causes an ossified CA too many
problems, maybe I don't trust that CA to be able to issue certificates for
my bank, much less to be able to know which certificates that they are
actually issuing.
--Paul Hoffman
_______________________________________________
therightkey mailing list
therightkey@ietf.org
https://www.ietf.org/mailman/listinfo/therightkey
_______________________________________________
therightkey mailing list
therightkey@ietf.org
https://www.ietf.org/mailman/listinfo/therightkey
_______________________________________________
therightkey mailing list
therightkey@ietf.org
https://www.ietf.org/mailman/listinfo/therightkey
