On 22/07/15 13:53, Stephen Kent wrote:
<snip>
> Given the history of browser behavior wrt cert revocation status
> checking, this is not a surprising perspective.
I am a bit surprised, actually. Some browsers no longer perform
out-of-band revocation checks by contacting CA revocation servers
directly, but they do still process revocation information passed
in-band (i.e. OCSP Stapling).
yes, some do. Having a server pass the OCSP data is analogous to having
it pass an SCT, and we've been told that it will take too long for that
to happen, hence the embedded SCT in a cert feature of CT.
SCTs are passed in-band.
Yes, but 6962-bis says that TLS clients MAY contact a log to get a proof
for the SCT, and the gossip proposal relies on clients contacting logs
to acquire STHs. So, ...
I think there is value in a TLS client verifying the SCTs supplied
in-band in the TLS handshake even if that client doesn't also contact
the log out-of-band to fetch and verify STHs and/or inclusion proofs
and/or consistency proofs.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
