On 5 August 2017 at 01:30, Brian Sniffen <[email protected]> wrote: > ## Don't stand out > > I think the requirement that the browser check the CT log and perform > DNSSEC in 3.2 is likely to violate the don't-stand-out requirement, as I > don't expect most browsers to do that most times. Am I missing > something?
Checking the CT log or doing DNSSEC validation would definitely cause a red flag, but if the DNSSEC chain extension to TLS is used (consistently), then the information is already on hand. I don't know what can be done for CT (SCT likely isn't what we're looking for here). The conclusion to the ORIGIN frame discussion ended with two choices that increase confidence that a certificate isn't mis-issued without violating this principle. That was OCSP stapling or SCT. It's an important principle, maybe this draft should be clearer about that. _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
