Rob,
...
I think the cert type marking and checking info should be included in
the base spec, if only to address the second problem
+1 to Eran's suggestion of using the CtExtensions field, regardless of
whether Steve's proposed cert compliance checks are included in the
base spec or a separate document. I can't think of any better place
(than CtExtensions) in which to put optional fields into an SCT.
I'm arguing that there must be a way to a log to advertise what checks
it performs when
it does cert path validation to one of the trust anchors that it
advertises. This should
not be optional.
But, I agree that this does not require a submitter to assert a cert type.
However, there still seems to be considerable benefit to having the SCT
declare
to a client what cert path validation was performed as part of log
acceptance.
Incidentally, +1 to Steve's recent comment...
"The description of the extensions field seems to be inspired by X.509v3.
That's OK, but one needs to define a top-level format for extensions to
ensure backward compatibility (as per v3 extensions)to make this work.
That level of specification is missing here."
thanks.
Steve
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
