On Wed, Apr 9, 2014 at 9:13 AM, Ben Laurie <[email protected]> wrote: > On 9 April 2014 01:49, Phillip Hallam-Baker <[email protected]> wrote: >> Since TRANS is joined to X.509 at the hip, how about we just shovel >> all the metadata describing the configuration of the notary into the >> certificate that signs the notary log outputs periodically? > > I guess if you are a CA everything looks like a certificate. > Currently, logs do not use certificates to manage their own keys. I > guess they could. But I thought you preferred JSON for new stuff?
I do, but I also prefer to avoid long discussions that I don't think I am going to win. As a general matter, most mechanisms that manage keys are likely to generate X.509v3 certificates or CRSs as a by product. Even some of the DNSSEC stuff generates them. >> I am assuming here that the signing hierarchy for the log has an >> offline key that periodically signs the online key. > > Again, currently, no. Seems to me that you can introduce a lot of > complication this way not needed for the only known client use case > (deployment in Chrome). Not against specifying it, to be clear, but > unsure it should live in the same doc. Or hold it up. I tend to think that anyone who would check cert status against TRANS is already doing X.509v3 and bar -- Website: http://hallambaker.com/ _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
