On Nov 1, 2012, at 8:14 AM, Paul Hoffman <paul.hoff...@vpnc.org> wrote:
> As someone who has to trust every CA in the root pile in my browsers and OSs,
> I find it frightening that a CA who can say "this is your bank's certificate"
> cannot handle new requirements for how to say that. If adopting a simple
> protocol like this causes an ossified CA too many problems, maybe I don't
> trust that CA to be able to issue certificates for my bank, much less to be
> able to know which certificates that they are actually issuing.
I'm mostly with Paul on this. I think that a CA that doesn't see CT as an
incredible boon to be ossified to say the least. I'd add that this can be
something the market solves -- move your business to one that gets it.
I can't say enough good things about CT because I think it lets everyone win
without being the TSA of the Internet. I can go on, but really, CT is almost
all upside. The only real downside is that it puts stresses on genuinely
private PKIs, but it's only a stress, and arguably the few of those that really
exist can opt out. Ben has pointed out that the same sorts of problems that CT
would put on such things are induced by the SSL Observatory and similar efforts.
Jon
_______________________________________________
therightkey mailing list
therightkey@ietf.org
https://www.ietf.org/mailman/listinfo/therightkey
