On 10/1/14, 10:47 AM, "David Leon Gil" <[email protected]> wrote:
>On Wed, Oct 1, 2014 at 10:29 AM, Stephen Kent <[email protected]> wrote: >> I disagree. Once Ben said that he meant mis-issuance to be interpreted >>in a >> much broader context, >> and cited EV cert requirements as an example, I pursued documenting what >> that would mean. If >> the WG wants to say that mis-issuance is more than issuing a cert to the >> wrong Subject, then >> we need to say just what it is, not hand wave. > >You are missing the point of certificate transparency. > >We have no idea all the forms that misissuance -- particularly >malicious misissuance -- might take. If it were trivial to detect >"misissuance", browsers would validate certs for "misissuance" and the >problem would be solved. > >The point of having a log that includes everything signed with a CA's >key is that analysis of issued certificates can be conducted post-hoc. > >Proposals to limit the scope of what logs can log kneecap CT. They >should not be considered. Maybe the term mis-issuance should just be discarded. There seems to be agreement that logs should accept anything signed by one of the CAs covered by a log. Monitors can always detect whatever they want relative to the certificate collection maintained by a log (be it “mis-issuance” or something else). _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
