#9: Security Considerations for number and variety of SCTs
Changes (by [email protected]):
* status: reopened => closed
* resolution: => fixed
Comment:
New text:
{{{
<section title="Multiple SCTs">
<t>
TLS servers may wish to offer multiple SCTs, each from a
different log.
<list style="symbols">
<t>
If a CA and a log collude, it is possible to temporarily
hide misissuance from clients. Incorporating SCTs from different logs
makes it more difficult to mount this attack.
</t>
<t>
If a log misbehaves, a consequence may be that clients cease
to trust it. Since the time an SCT may be in use can be considerable
(several years is common in current practice when the SCT is embedded in a
certificate), servers may wish to reduce the probability of their
certificates being rejected as a result by including SCTs from different
logs.
</t>
<t>
TLS clients may have policies related to the above risks
requiring servers to present multiple SCTs. For example <xref
target="Chromium.Log.Policy">Chromium</xref> currently requires multiple
SCTs to be presented with EV certificates in order for the EV indicator to
be shown.
</t>
</list>
</t>
</section>
}}}
--
--------------------------------------+------------------------------
Reporter: [email protected] | Owner: [email protected]
Type: defect | Status: closed
Priority: minor | Milestone: review
Component: rfc6962-bis | Version:
Severity: - | Resolution: fixed
Keywords: |
--------------------------------------+------------------------------
Ticket URL: <http://trac.tools.ietf.org/wg/trans/trac/ticket/9#comment:4>
trans <http://tools.ietf.org/trans/>
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
