> > On the other hand, the actual certificates are not what one > would want to log anyway. Instead one would only want to log DS RRsets > or NODATA proofs from eTLD registries (gTLDs, ccTLDs and also various > 2LD, 3LD, ... suffixes operated by TLD registries).
This is the case if you run your own authoritative DNS server. Most do not. So you'd want transparency on the TLSA records as well. Similar spamming would be possible by > obtaining certificates from many CAs and rolling them over as frequently > as possible. > CAs have quite strict rate-limits in place for free certificate issuance, so it's not a problem. Best, Bas
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
