On 5 August 2017 at 01:30, Brian Sniffen <bsnif...@akamai.com> wrote:
> ## Don't stand out
>
> I think the requirement that the browser check the CT log and perform
> DNSSEC in 3.2 is likely to violate the don't-stand-out requirement, as I
> don't expect most browsers to do that most times.  Am I missing
> something?

Checking the CT log or doing DNSSEC validation would definitely cause
a red flag, but if the DNSSEC chain extension to TLS is used
(consistently), then the information is already on hand.  I don't know
what can be done for CT (SCT likely isn't what we're looking for
here).

The conclusion to the ORIGIN frame discussion ended with two choices
that increase confidence that a certificate isn't mis-issued without
violating this principle.  That was OCSP stapling or SCT.  It's an
important principle, maybe this draft should be clearer about that.

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Reply via email to