On 01/04/14 21:28, Gervase Markham wrote:
On 01/04/14 21:26, Rob Stradling wrote:
Hi Gerv. I don't think this is desirable.
Only the domain owner needs to know what the unmasked subdomains are,
and they can do this by simply looking at the corresponding Certificate.
Does it not help with your combinatorial explosion, because it's then
much easier to match up a potential cert with its logged precert?
Or am I mistaken?
A TLS client will see only the Certificate, and from that it needs to
reconstruct the Precertificate.
Yes, the Precertificate is publicly logged, but this doesn't help a TLS
client that is not allowed to perform blocking side-channel lookups
during TLS handshakes.
So no, I'm afraid it wouldn't help with the combinatorial explosion.
(So I'll stick with my original idea for solving that).
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
