tRob,
...
Hi Watson.
Without Precertificates, we would have to wait for all of the world's
TLS Servers to be updated to support the RFC6962 TLS extension and/or
OCSP Stapling before TLS Clients would then be able/willing to abort
TLS handshakes when an SCT is not provided. We don't want to have to
wait that long!
You noted this rationale previously, when I asked whether we really need
pre-certs, and
I failed to reply to your message. (lost in the inbox clutter)
I understand the desire to reduced the delay in deployment.
However, the specific mechanism you mentioned, a TLS client aborting a
handshake because
of a lack of an SCT (embedded or passed explicitly in the handshake) is
still being debated.
Specifically, I noted that this hard fail approach, does not seem
compatible with an
incremental deployment model, absent a lot of details. During the IETF
meeting in Toronto,
Ben stated that he agreed that an incremental deployment model was
desirable, and thus
requirements for TLS client behavior need to be revisited.
Steve
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
