On 18 November 2012 01:32, Carl Wallace <[email protected]> wrote: > On 11/17/12 8:24 PM, "Paul Hoffman" <[email protected]> wrote: > >>>And you cannot say "The CA industry" either, which is the answer for the >>> CT-PKIX version. >> >>OK, so maybe you haven't been following the mailing list or reading the >>draft. In the CT-for-PKIX proposal, individuals can submit their own >>certificate. > > Under this approach, how does the log come to have certificates that a > legitimate owner would like to be made aware of? I understand the utility > of including the CT in the certificate and having an individual submit > their certificate (or the CA on their behalf) but locking down a log to > these sorts of inputs would seem to limit their usefulness for detecting > rogue certs.
The idea is that the log contains all certificates the browser might otherwise say are valid. If the cert would not be validated by the browser anyway, there's no real point it being in the log - and so, for pragmatic reasons (i.e. spam prevention), our current plan is to not allow such certificates to be logged. _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
