On 01/11/12 19:54, Paul Hoffman wrote:
On Nov 1, 2012, at 11:52 AM, Rob Stradling <rob.stradl...@comodo.com> wrote:

On 01/11/12 16:46, Paul Hoffman wrote:
On Nov 1, 2012, at 9:29 AM, Phillip Hallam-Baker <hal...@gmail.com> wrote:

This is about barely capable sysadmins.

Different problem.

 From the perspective of the relying party (me, caring about making a secure 
connection to my bank), the problems are indistinguishable. A CA who retains a 
sysadmin who is barely capable

Paul, this is about barely capable sysadmins _at your bank_, not at the CA.

(Ben wrote "The process of participating in CT for a _server operator_ is...")

OK, maybe I'm confused here, or maybe you are. If my bank has a certificate 
issued by a CA who is actively participating in CT, there is no requirement on 
the bank at all, correct?

If by "actively participating" you mean that the CA has embedded the CT proof in the cert, then yes, there is no requirement on the bank.

If the CA instead embeds the CT proof in OCSP Responses relating to the cert, then there is no requirement on the bank apart from to use OCSP Stapling.

If the CA is not participating in either of these 2 ways, then there is a requirement on the bank (aka the "server operator"), which may or may not be rocket science, depending on your opinion.

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
therightkey mailing list
therightkey@ietf.org
https://www.ietf.org/mailman/listinfo/therightkey

Reply via email to