On Tue, May 13, 2014 at 12:22 AM, Joseph Bonneau <[email protected]> wrote: >> Is CT intended to be run all the way from the root to the CAs furthest >> from the root? I didn't think it was, and if it is, please tell me. > > Yes, it is. The goal of CT is that browsers will eventually reject any > end-entity TLS certificate that doesn't have an SCT. I believe this is true > regardless of the number of intermediate CAs in the cert's path to a trusted > root. There's an exception for trust anchors manually added to the browser > to accommodate private CAs, but essentially all certificates that standard > browsers will accept out of the box must be logged.
Ah, yes, and actually we should want the same for DNSSEC. The problem then becomes privacy. But I think we can achieve that by not logging names, just hashes of the relevant RRsets, no? Since public keys will generally be part of the relevant RRsets this won't help zone enumerators. Nico -- _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
