On 19 October 2015 at 06:31, Rob Stradling <[email protected]> wrote: > On 17/08/15 18:24, 'Adam Eijdenberg' via certificate-transparency wrote: >> >> (posted to [email protected], [email protected] >> and [email protected]) > > <snip> >> >> Lookahead: >> - We're very interested in exploring how we make it viable for a >> site-owner to be able to opt-in to requiring CT, ahead of any general >> browser-enforced deadlines. We would welcome participation in helping >> define what this might look like in a manner that would work well for >> both browsers and site-owners. > > > Adam, > > RFC 7633: "X.509v3 Transport Layer Security (TLS) Feature Extension" > > This newly standardized certificate extension could be used to signal that > the TLS server MUST send the CT TLS extension. > > I realize that this may not suit many early adopters, since few deployed > servers support the CT TLS extension yet. But I figured it was worth > mentioning.
It could... but that seems awfully limited. Requiring CT is a lot easier than requiring one of the specific forms. If you change infrastructure, and lose the ability to include a TLS Extension, you can at least staple OCSP or get them embedded in a cert. -tom _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
