Although CT could function for all types of certificates, Google doesn't necessarily utilize client or code signing certs. Until other software vendors implement CT as a requirement, you'll likely only see CT used for SSL. Plus, utilizing the logs only for SSL reduces log size. Logging every client certificate issued will quickly fill up the log with less important information.
Jeremy -----Original Message----- From: Trans [mailto:[email protected]] On Behalf Of Kurt Roeckx Sent: Friday, July 18, 2014 3:10 PM To: Rick Andrews Cc: [email protected] Subject: Re: [Trans] List of Roots Accepted by Log Servers On Fri, Jul 18, 2014 at 11:11:24AM -0700, Rick Andrews wrote: > I finally got around to reading the list of roots accepted by the pilot and > aviator log servers (using the get-roots command). I see a number of our > roots that seem inappropriate to me, meaning that we have never issued SSL > certs (EV or non-EV) from those roots, and never intend to. It seems to me > that Google cast a wide net to add all relevant roots to kickstart the log > servers (perhaps bootstrapped from Mozilla's root list?), but at some point > (before CT is "live") I would like to see the list trimmed. > > My thinking is that if I somehow issue an SSL cert from a root that I did not > intend to use for SSL, I would prefer to catch that as quickly as possible; > ideally, when the log server refuses to give me an SCT. Is Google willing to > remove roots from pilot and aviator? It's my understanding that CT shouldn't only work for HTTPS, but for all different kind of certificates. Maybe you want a log that only contains HTTPS, and have logs for different kind of certificates? Kurt _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
