Symantec (and I suspect other CAs) would like more information about what roots will be configured into log servers.
Root Certificates: The current spec includes a call to Retrieve Accepted Root Certificates. Should we infer from that that the list might change over time? We expect new roots would be added, but would roots ever get removed? For example, browser vendors are in the process of removing 1024-bit roots from their trust stores, and in the next few years we expect that SHA-1 roots might be removed too. Would log server operators also phase out such roots? Once there are more than three log servers, we expect to decide up front which log servers we will contact for SCTs. We do not expect to dynamically query each log server to confirm that it still trusts our root, just before attempting to log a certificate. Is that a valid assumption? It would be preferable for the log server operator to publish a list of roots and commit to supporting those roots until the CA informs the operator that the root is no longer in active use, and all certificates chained to that root have expired. Cross-Certificates: We have been providing cross-certificates to customers to deploy so that their certificate could chain up to a 1024-bit root (for use in older browsers without our 2048-bit roots). If the cross-certificate is ignored, the end-entity cert chains up to one of our 2048-bit roots. We expect to continue using cross-certificates until we determine that their use is no longer required. We'd like to be sure that the use of cross-certificates will not cause any problems for log servers. For example, take the case where we log a certificate we're about to issue (or have issued) and we include the cross-certificate in the chain sent to the log server. Then the customer (for whatever reason) decides to also send their certificate to the log server, but without the cross-certificate. Will the log server see this as the same certificate, and return to the customer the same SCTs? Or will the certificate get logged a second time? If the latter, will that cause any problems? -Rick
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
