On 1/9/13 7:35 AM, "Ben Laurie" <[email protected]> wrote: <snip> >> Is there any required relationship between sct >> included in a handshake and certificates returned in the handshake? > >I'm not sure what you mean? The SCT has to be for the end entity >certificate.
OK. I drifted in and out of recognizing the SCT only has the EE while the messages to the server have the path. <snip> >> - In 4.1, if multiple clients submit the same certificate, is the same >>sct >> signature returned to each? > >This is addressed in 3. "If the log has previously seen the >certificate, it MAY return the same SCT as it returned before" Missed that. Thanks. Why not MUST? > >> What if the path is different for different >> submissions? > >Only the end entity certificate is used to make the SCT. This could be made clear. Seems like the log really doesn't care (or need to care) about multiple paths to an EE. Once it has an EE, the same SCT can be used. ><snip> >> It'd be nice if there were a client message that took a domain >> name as input. > >That is a service a monitor could provide to its clients. That makes sense. > >> Of course, this could probably be achieved by sticking an >> X.500 or LDAP interface on the log instead:-) Should a server operator >> take any steps if it finds a new sct that chains to a different root >>than >> the sct it includes in TLS handshakes? > >I don't know, but I also don't think CT is a chain discovery >mechanism, just an end entity cert discovery mechanism. Got it. _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
