Ben,
On 9 September 2014 18:39, Stephen Kent<[email protected]> wrote:
I agree that the serial number is critical if one plans to revoke the cert.
But ,
the I-D makes no mention of remediation mechanisms, an omission I noted in
my review
a while ago.
It makes no mention because they are not in scope. The point of CT is
to allow others to vet certificates and take appropriate action when
needed.
As I noted earlier, there is no threat model for the CT mechanism.
And there is no mapping of CT to the threat model.
We usually do not standardize security mechanisms when these two
critical elements are missing.
It is not up to us to describe all possible problems and how they are
remedied. If you think that's a valuable exercise, be my guest.
There is a big difference between "all" and "none."
However, when you suggest that inclusion of some particular thing is
problematic, then we can, of course, refer to potential problems CT
might reveal and available remedies as an illustration of why that
thing is needed.
I don't know what this last, rather long sentence means. Please elaborate.
Steve
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
