True. The point I'm trying to make is that we're a long way from requiring SCTs for all types of certs, SSL and non-SSL. Until all applications require SCTs for all types of certs, I see no reason to add the complexity of logging all certs. At this point in time, Google wants SCTs for EV SSL certs, and that's what I'm shooting for. Chrome knows which roots are enabled for EV, and so those are the only roots that log servers MUST accept.
Other CAs might want to log all their certs. Relying parties might want to push every cert they see into log servers. But I see value in limiting which of my roots are accepted by log servers, and I'd like the ability to control that. -Rick -----Original Message----- From: Gervase Markham [mailto:[email protected]] Sent: Monday, July 21, 2014 2:33 AM To: Rick Andrews; Mehner, Carl; [email protected] Subject: Re: [Trans] List of Roots Accepted by Log Servers On 19/07/14 02:02, Rick Andrews wrote: > Unless I've lost control over my private keys, I don't need to monitor > CT logs to see if anyone else has issued an SSL cert from one of my > inappropriate roots. I can just look in my database. Not implying anything about your security, Rick, but one of the benefits of CT is that people who don't realise that they've lost control of their private keys can find out! :-) Gerv _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
