On Nov 17, 2012, at 3:06 PM, Paul Wouters <[email protected]> wrote: > On Sat, 17 Nov 2012, Carl Wallace wrote: > >> Who is intended to be able to contribute to the log? It seems like for >> this to provide the desired visibility, any client should be able to. For >> CT, at least, I thought this was not to be the case. > > How do you authenticate that?
The submission includes the whole DNSSEC chain to the root, similar to what it does for CT-for-PKIX. > You cannot use the DS/DNSKEY for > authentication because then the CT audit log is useless to detect > compromises. The purpose is to detect inclusion of DS keys that are not valid to the end host, not to detect "compromise". You have been following this mailing list, yes? > And you cannot say "The CA industry" either, which is the answer for the > CT-PKIX version. OK, so maybe you haven't been following the mailing list or reading the draft. In the CT-for-PKIX proposal, individuals can submit their own certificate. > If you make CT-DNSSEC go through the CA industry, it > will cost $10/year or more to get in the audit log. Thank you, Strawman McBogusArg! --Paul Hoffman _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
