The transparency offered by CT has value outside of SS;, therefore I am interested in seeing the log services contain as much information about the WebPKI ecosystem as possible.
Of course nothing should require a log service operator to contain information they are not interested. With that said this is outside the scope of the specification of CT protocol. Ryan Hurst @rmhrisk / [email protected] Sent from my iPhone > On Jul 18, 2014, at 2:15 PM, Jeremy Rowley <[email protected]> wrote: > > Although CT could function for all types of certificates, Google doesn't > necessarily utilize client or code signing certs. Until other software > vendors implement CT as a requirement, you'll likely only see CT used for > SSL. Plus, utilizing the logs only for SSL reduces log size. Logging every > client certificate issued will quickly fill up the log with less important > information. > > Jeremy > > -----Original Message----- > From: Trans [mailto:[email protected]] On Behalf Of Kurt Roeckx > Sent: Friday, July 18, 2014 3:10 PM > To: Rick Andrews > Cc: [email protected] > Subject: Re: [Trans] List of Roots Accepted by Log Servers > >> On Fri, Jul 18, 2014 at 11:11:24AM -0700, Rick Andrews wrote: >> I finally got around to reading the list of roots accepted by the pilot and >> aviator log servers (using the get-roots command). I see a number of our >> roots that seem inappropriate to me, meaning that we have never issued SSL >> certs (EV or non-EV) from those roots, and never intend to. It seems to me >> that Google cast a wide net to add all relevant roots to kickstart the log >> servers (perhaps bootstrapped from Mozilla's root list?), but at some point >> (before CT is "live") I would like to see the list trimmed. >> >> My thinking is that if I somehow issue an SSL cert from a root that I did >> not intend to use for SSL, I would prefer to catch that as quickly as >> possible; ideally, when the log server refuses to give me an SCT. Is Google >> willing to remove roots from pilot and aviator? > > It's my understanding that CT shouldn't only work for HTTPS, but for all > different kind of certificates. Maybe you want a log that only contains > HTTPS, and have logs for different kind of certificates? > > > Kurt > > _______________________________________________ > Trans mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/trans > > _______________________________________________ > Trans mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/trans _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
