On 01/11/12 19:54, Paul Hoffman wrote:
On Nov 1, 2012, at 11:52 AM, Rob Stradling <rob.stradl...@comodo.com> wrote:
On 01/11/12 16:46, Paul Hoffman wrote:
On Nov 1, 2012, at 9:29 AM, Phillip Hallam-Baker <hal...@gmail.com> wrote:
This is about barely capable sysadmins.
Different problem.
From the perspective of the relying party (me, caring about making a secure
connection to my bank), the problems are indistinguishable. A CA who retains a
sysadmin who is barely capable
Paul, this is about barely capable sysadmins _at your bank_, not at the CA.
(Ben wrote "The process of participating in CT for a _server operator_ is...")
OK, maybe I'm confused here, or maybe you are. If my bank has a certificate
issued by a CA who is actively participating in CT, there is no requirement on
the bank at all, correct?
If by "actively participating" you mean that the CA has embedded the CT
proof in the cert, then yes, there is no requirement on the bank.
If the CA instead embeds the CT proof in OCSP Responses relating to the
cert, then there is no requirement on the bank apart from to use OCSP
Stapling.
If the CA is not participating in either of these 2 ways, then there is
a requirement on the bank (aka the "server operator"), which may or may
not be rocket science, depending on your opinion.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
therightkey mailing list
therightkey@ietf.org
https://www.ietf.org/mailman/listinfo/therightkey