On Fri, Jul 18, 2014 at 11:11:24AM -0700, Rick Andrews wrote: > I finally got around to reading the list of roots accepted by the pilot and > aviator log servers (using the get-roots command). I see a number of our > roots that seem inappropriate to me, meaning that we have never issued SSL > certs (EV or non-EV) from those roots, and never intend to. It seems to me > that Google cast a wide net to add all relevant roots to kickstart the log > servers (perhaps bootstrapped from Mozilla's root list?), but at some point > (before CT is "live") I would like to see the list trimmed. > > My thinking is that if I somehow issue an SSL cert from a root that I did not > intend to use for SSL, I would prefer to catch that as quickly as possible; > ideally, when the log server refuses to give me an SCT. Is Google willing to > remove roots from pilot and aviator?
It's my understanding that CT shouldn't only work for HTTPS, but for all different kind of certificates. Maybe you want a log that only contains HTTPS, and have logs for different kind of certificates? Kurt _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
