On 11/09/14 12:31, Ben Laurie wrote:
On 11 September 2014 12:27, Ben Laurie <[email protected]> wrote:
On 11 September 2014 12:17, Rob Stradling <[email protected]> wrote:
On 11/09/14 11:56, Eran Messeri wrote:
The poison extension is removed from the Precertificate prior to the log
producing an SCT over it, so a client never has to know about it. What
the TLS client has to do is to remove the "embedded SCTs" extension
from the certificate prior to validating the signature.
Ditto for the future "redactedlabels" extension.
That one appears in the cert, too, doesn't it?
Sorry, ignore that, it is in the cert but not the precert (though that
seems like an arbitrary decision to me).
I was ditto-ing Eran's second sentence, not his first. Sorry if I
wasn't clear.
Yes, I think we could put the "redactedlabels" extension in the precert
too. Or, might those who wish to use the redaction mechanism also want
to keep secret the number of redacted domain components?
Hmmm...if we do decide that the number of redacted domain components can
be revealed by the precert, then it might be simpler to scrap the
"redactedlabels" extension altogether and instead say that "(PRIVATE)"
always covers precisely 1 domain component. Then, if you want to redact
3 components, you'd put
"SAN:dNSName=(PRIVATE).(PRIVATE).(PRIVATE).mydomain.com" in the precert.
(To reduce bloat, we could shrink "(PRIVATE)" to "?". e.g.
"SAN:dNSName=?.?.?.mydomain.com").
<snip>
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
