On Sat, Nov 17, 2012 at 08:01:10AM -0800, Paul Hoffman wrote: > CT-for-PKIX helps a web site administrator determine if a trusted CA ever > issued a certificate that should not have been issued. > > CT-for-DNSSEC helps a DNS zone administrator determine whether a DNS server > in the hierarchy above the leaf zone ever included a DS record that should > not have been included. > > It would be good to have agreement on the above; feel free to offer changes > and see if the authors agree. Then we can talk about the relationship between > the two. >
Sounds reasonable to me. Does "CT" need to be renamed for DNSSEC? Since we're talking about transparency of delegation records/keys and not X.509 certificates. If C means "certification" in the general sense, then I suppose it might still be applicable since a (signed) DS record certifies the authenticity of the secure entry point key in a subordinate zone. -- Shumon Huque University of Pennsylvania. _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
