On 01/11/12 20:33, Paul Hoffman wrote:
On Nov 1, 2012, at 1:00 PM, Rob Stradling <rob.stradl...@comodo.com> wrote:
If by "actively participating" you mean that the CA has embedded the CT proof
in the cert, then yes, there is no requirement on the bank.
That's one definition of "actively participating", but there are others, such
as publishing a list that the auditors pick up.
What sort of list did you have in mind?
Would this list be "transparent"?
(i.e. if the CA were to publish an inaccurate or incomplete list, would
the auditor definitely notice?)
If the CA instead embeds the CT proof in OCSP Responses relating to the cert,
then there is no requirement on the bank apart from to use OCSP Stapling.
This confuses me. If the CA is putting the CT proof in its OCSP responses, why
does the bank have to do anything?
Because not all clients do online OCSP checks.
Because far too many online OCSP checks fail due to the Responder being
unreachable.
Because OCSP Stapling is not currently enabled by default in (at least)
Apache and nginx.
If the CA is not participating in either of these 2 ways, then there is a requirement on
the bank (aka the "server operator"), which may or may not be rocket science,
depending on your opinion.
If the CA is not participating, why should that CA be in the trust pile of
software that relies on CT?
AFAIK, this is the first time it's been suggested that CT should require
CA participation. I think it's an idea we should consider seriously.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
therightkey mailing list
therightkey@ietf.org
https://www.ietf.org/mailman/listinfo/therightkey
