On Tue, Feb 4, 2014 at 3:37 PM, Jeremy Rowley <[email protected]> wrote: > Doesn't that simply require the cert user to either start using OCSP with an > embedded certificate or getting a new certificate from the user?
If the certificate was used with OCSP stapling, the CA had a reasonably short OCSP validity window and the CA could update the SCT in the OCSP response quickly then that would solve the problem. However, for the purposes of this spec I don't think we said anything about that because of the complexity. Having multiple SCTs is clearly ok and that kept things simple. > Plus, under the current plan, the site doesn't go dark. Instead, their EV > cert isn't recognized as an EV certificate. For EV certificates the problem is greatly reduced. But EV certificates are just a trial for doing it universally and we have the end state in mind. Cheers AGL _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
