On 26 September 2013 15:29, Joseph Bonneau <[email protected]> wrote: >> I'd like some elaboration on the plan for step 6, creating a whitelist of >> >> > valid EV certificates without an SCT. How is this going to be achieved? >> >> Not sure what the question is - as the doc says, the list will be >> constructed from the logs... > > > I think I read it incorrectly as "without an embedded CT from *any* qualify > logs" instead of "from all qualifying logs." Now I can see how the whitelist > is created, but I'm less clear on what the intention of it is. Is the > assumption that some certs will be issued with more than zero but fewer than > three SCTs (proposed to the minimum acceptable in the "Qualifying > Certificates" section) and you'd like to whitelist such certs during the > rollout period?
Ah. So, all existing certs do not have embedded SCTs. So, we either wait until all existing certs expire before we can enforce CT, or we whitelist the unexpired certs. > Also, why isn't there be a step 8 in the plan, where the whitelist is > deprecated and every EV cert requires SCTs and Chrome is rejecting the EV > certs without them? The whitelist is fixed, so at some point all certs in the whitelist expire, and the whitelist thus becomes empty. _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
