On Sun, May 11, 2014 at 11:37 AM, Paul Wouters <[email protected]> wrote: > On Sun, 11 May 2014, Phillip Hallam-Baker wrote: > >> It is probably fair to assume that CT logs will be maintained by CAs > > > That would be a non-starter for those people (let's call them the defcon > crowd) who are looking at dnssec as a way out of the trust in a handful > of CAs or TLD operators.
As I went on to say: "It is probably fair to assume that CT logs will be maintained by CAs but it would be entirely practical for an open service to be established. The criteria are rather simpler to enforce than certificate issue." I don't see the CAs running CT logs as being necessarily exclusive. In particular, running a CT log does not require audit which is the difficult part of being a CA. The whole point of transparency is that the operation of the log does not need a trusted auditor with special access. Anyone can audit the operation of the log. Now what the non-CA application does call for is thinking through a lot more of the operation of the logs and how they are held accountable. >> The main question is what purpose a CT log for DNSSEC would serve. For >> me the value would be to protect my domain against having it stolen by >> ICANN. > > > Or any of the parental zones above your own zone. True and that concern has already been an issue with zones such as vb.ly which was grabbed back when the value of the zone was realized. -- Website: http://hallambaker.com/ _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
