On 02/18/2014 11:58 AM, Ben Laurie wrote: > On 18 February 2014 15:37, Tim Moses <[email protected]> wrote: >> Ben - Will Chrome deny EV status to a certificate with too few SCTs, or >> will it grant EV status as long as at least one of its SCTs is from a log >> that remains in the program? > > It will deny.
Doesn't this reintroduce the perverse incentive to avoid killing a
known-misbehaving log?
one of the nice things about requiring corroborative SCTs on new certs
is that we can kill any log that is misbehaving without any pushback
from certificate-holders concerned that their site will "go dark" (or
"lose the fancy green label", in this EV case).
If we make it so that the EV label goes away when either of the
corroborators dies, then certificate holders have incentive to support a
failed log, even though this goes against the best interests of their users.
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
