On 18 July 2014 19:11, Rick Andrews <[email protected]> wrote: > I finally got around to reading the list of roots accepted by the pilot and > aviator log servers (using the get-roots command). I see a number of our > roots that seem inappropriate to me, meaning that we have never issued SSL > certs (EV or non-EV) from those roots, and never intend to. It seems to me > that Google cast a wide net to add all relevant roots to kickstart the log > servers (perhaps bootstrapped from Mozilla’s root list?), but at some point > (before CT is “live”) I would like to see the list trimmed.
The list is the union of the roots accepted by popular browsers on popular platforms. > My thinking is that if I somehow issue an SSL cert from a root that I did > not intend to use for SSL, I would prefer to catch that as quickly as > possible; ideally, when the log server refuses to give me an SCT. Is Google > willing to remove roots from pilot and aviator? Yes, it if makes sense. > I think we need a somewhat formal way for CAs to provide log server > operators their list of roots, and update that over time. For example, we > have a few new roots that we expect to be using in the next few months, and > I need to make sure they’re added to log servers before I start using them. > If log server operators provide an service level agreement (SLA) for such > changes, that would be great. > > Comments? > > -Rick > > > > _______________________________________________ > Trans mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/trans > _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
