Hi Stephen,
On Thu, Jun 11, 2015 at 05:40:55PM -0400, Stephen Kent wrote:
> Rob,
> >To facilitate this, it would be useful to define a standard API for
> >querying a monitor. This API would allow callers to search for certs
> >issued to a particular domain name/space, setup notifications of
> >(mis-)issuance, etc.
>
> I'm always in favor of interface standards, but this is not the sort of
> API I would have imagined. I've thought that one might want a standard
> way for a client of a Monitor to submit the info needed for the Monitor to
> "protect" the client: a set Subject names/SANs, a set of public keys
> associated with each Subject/SAN, and a way to inform the client when a
> cert is logged that does not match the supplied info. One also should be
> able to include an indication of what cert profile these certs are
> supposed to match, e.g., DV, EV, SMIME, IPsec, ...
I believe that comes under Rob's very general point of "setup notifications
for (mis-)issuance". I certainly intend to try and provide means for
specifying as much detail as possible to assist in detecting misissuance.
> Consider this my contribution to your draft.
Thanks for your input. It's good to know that someone else thinks it would
be useful to be able to manipulate notifications programmatically.
- Matt
--
"The user-friendly computer is a red herring. The user-friendliness of a
book just makes it easier to turn pages. There's nothing user-friendly about
learning to read."
-- Alan Kay
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
