What I think this discussion is really uncovering is that we don't really have a model for how CT is applied to WebPKI certificates. All the questions raised in the DNSSEC discussion seem to be predicated on assumptions as to how CT logs are managed that are outside the spec.
Which is why having the DNSSEC discussion now is useful. I don't like specs that are based on unwritten assumptions. That leads to a situation where implementations have to understand folklore. In particular, does CA = log maintainer? For DNSSEC there seem to be a lot of unnecessary assumptions being made. I certainly don't think everyone wants to run their own CT log for DNSSEC. And there would be little value in the scheme if they did. The value of a CT log depends in part on aggregation. Another unnecessary assumption is that any log maintainer would have to be a CABForum member. Membership in the forum has no impact on root inclusion or CT. The only requirement for root inclusion is acceptance by the root maintainer, most of which adopt the CABForum EV and BR criteria. The most important part there being audit. It is probably fair to assume that CT logs will be maintained by CAs but it would be entirely practical for an open service to be established. The criteria are rather simpler to enforce than certificate issue. It might or might not be desirable to require some sort of certificate chain to some sort of root. But any such chain does not need to be the only validation chain PKIX supports cross certificates and an end-entity certificate may be legitimately accredited to multiple roots. The main question is what purpose a CT log for DNSSEC would serve. For me the value would be to protect my domain against having it stolen by ICANN. The idea that we should put trust or faith in an organization extorting $250,000 for domains is ridiculous. And so is the fact that IESG members have told me that they don't think they should make that kind of comment even if true because of 'politics'. If you don't like your WebPKI CA then you can get another. And that means the costs are competitive. But ICANN has a monopoly and a rent seeking management. Deploying CT to establish an independent claim on the domains makes perfect sense. _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
