On 23/07/14 20:39, Stephen Kent wrote:
<snip>
Precerts are critical because otherwise server s/w has to be updated
to deliver SCTs to clients. We know that isn't going to happen
universally any time soon. I agree the I-D should mention this.
So, the designer have decided that it is appropriate to require CAs to
change their software, rather than asking server software developers
to change theirs.
Actually, RFC6962 and 6962-bis do ask server software developers to
change their software too.
I acknowledge that there are more servers in operation than CAs, but
that's not really the right metric. The issue is how many sources of
server software are used by the vast majority of servers.
The vast majority of deployed servers are running old versions of the
server software. And in many cases, the server operators would find it
very difficult to upgrade to the latest version even if they really,
really wanted to. e.g. Linux distros that still ship Apache httpd 2.2.x
and not 2.4.x, and which are very unlikely to ship 2.6.x until N years
after its initial release.
According to [1], the IETF's mission includes (emphasis mine):
- Identifying, and proposing solutions to, _pressing_ operational and
technical problems in the Internet.
- Specifying the development or usage of protocols and the
_near-term_ architecture to solve such technical problems for the Internet.
[1] http://www.ietf.org/tao.html
I'm guessing that that number is small, especially compared to the
number of CAs, many of which have had to write all or most of their
provisining software.
Google can incentivize CAs to implement CT, simply by changing the rules
for CAs that have trust anchors in Chrome. Google have no such power
over the server software authors or server software users, AFAICT.
The CAs that have written all or most of their provisioning software are
the CAs that should find it easiest to add CT support to their
platforms. (It's only the CAs that use third-party CA software that
aren't in control of this part of their own destiny).
I think it's clear that updating CA software is the only way we're
likely to see CT deployed in the _near-term_. Do you disagree?
This is a critical design decision that ought to be articulated in the
document, and agreed upon by the WG, not just the CT design team.
Well, if this WG is going to disagree with the very idea of
Precertificates, then it would be nice to know sooner rather than later!
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
