On Nov 1, 2012, at 10:08 AM, Rick Andrews <rick_andr...@symantec.com> wrote:
>> As someone who has to trust every CA in the root pile in my browsers >> and OSs, I find it frightening that a CA who can say "this is your >> bank's certificate" cannot handle new requirements for how to say that. >> If adopting a simple protocol like this causes an ossified CA too many >> problems, maybe I don't trust that CA to be able to issue certificates >> for my bank, much less to be able to know which certificates that they >> are actually issuing. > > Paul, I find your statements to be oversimplifications: > > 1) That the CT protocol is simple: I've been trying to make the point on this > list that it may be conceptually simple but pretty difficult to implement to > the scale that is required. Required by whom? Your scale arguments have, I believe, been that we need the same number of CAs in the root pile as we do now, and that we need dozens of auditors for the relying parties to choose from. For me as a relying part, neither of those are true. If I'm wrong about my interpretation of your scale arguments, by all means start a new thread on this list with a concise statement of what you think is required for scaling. > 2) That CAs can't handle new requirements: That's silly: I believe that many CAs can handle the new requirements just fine. > I'm not convinced that CT is the silver bullet that some appear to claim it > is. Now you're putting words in other people's mouths, not a great tactic in the IETF. The term "silver bullet" has not appeared on this list, and I don't remember anyone using anything at all similar when describing certificate transparency. > If you were referring to my statements on this list, please don't interpret > my criticism as inability to handle new requirements. I didn't. > I think a debate on the merits is healthy. Yes, that's why we are all here. --Paul Hoffman _______________________________________________ therightkey mailing list therightkey@ietf.org https://www.ietf.org/mailman/listinfo/therightkey
