6962-bis notes that: "Those who are concerned about misissue can monitor the logs, asking them regularly for all new entries, and can thus check whether domains they are responsible for have had certificates issued that they did not expect."
If you act as a monitor yourself, you can be sure that the logs you're monitoring aren't misbehaving. You don't have to trust the logs.
However, if you use the services of a third-party monitor instead (which I expect most domain owners would prefer to do), then you have to trust that that third-party monitor isn't hiding any certs from you.
Therefore, ISTM that some domain owners might want to be able to use the services of multiple independent monitors simultaneously.
To facilitate this, it would be useful to define a standard API for querying a monitor. This API would allow callers to search for certs issued to a particular domain name/space, setup notifications of (mis-)issuance, etc.
Matt Palmer and I are planning to start work on a -00 draft soon. If anyone else would like to get involved, please let us know.
-- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
