I finally got around to reading the list of roots accepted by the pilot and aviator log servers (using the get-roots command). I see a number of our roots that seem inappropriate to me, meaning that we have never issued SSL certs (EV or non-EV) from those roots, and never intend to. It seems to me that Google cast a wide net to add all relevant roots to kickstart the log servers (perhaps bootstrapped from Mozilla's root list?), but at some point (before CT is "live") I would like to see the list trimmed.
My thinking is that if I somehow issue an SSL cert from a root that I did not intend to use for SSL, I would prefer to catch that as quickly as possible; ideally, when the log server refuses to give me an SCT. Is Google willing to remove roots from pilot and aviator? I think we need a somewhat formal way for CAs to provide log server operators their list of roots, and update that over time. For example, we have a few new roots that we expect to be using in the next few months, and I need to make sure they're added to log servers before I start using them. If log server operators provide an service level agreement (SLA) for such changes, that would be great. Comments? -Rick
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
