> > Is CT intended to be run all the way from the root to the CAs furthest > from the root? I didn't think it was, and if it is, please tell me. >
Yes, it is. The goal of CT is that browsers will eventually reject any end-entity TLS certificate that doesn't have an SCT. I believe this is true regardless of the number of intermediate CAs in the cert's path to a trusted root. There's an exception for trust anchors manually added to the browser to accommodate private CAs, but essentially all certificates that standard browsers will accept out of the box must be logged. By contrast with DNSSEC you seem to be suggesting that many DNSSEC records that browsers/resolvers will accept as genuine will not be logged anywhere (or be logged somewhere that isn't necessarily audited) and the browser will still accept them.
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
