On Thu, 22 Oct 2015 at 23:49 Daniel Kahn Gillmor <[email protected]> wrote:
> On Thu 2015-10-22 06:23:35 -0400, Ben Laurie wrote: > > On Thu, 22 Oct 2015 at 03:16 Tom Ritter <[email protected]> wrote: > >> On 21 October 2015 at 08:52, Linus Nordberg <[email protected]> wrote: > >> > Impractical since the browser would have to know which domain that > >> > example.com has delegated its SCT Feedback to. > >> > >> This is an engineering problem I don't see a neat solution to. So > >> obviously the solution is a new HTTP header! SCT-Feedback: > >> > >> > https://uncle-neds-discount-hanggliding-and-sct-feedback-correlator.website/google.com/ > >> ;) > > > > Quite so. > > I can't tell how much people are kidding around here -- i see Tom's > winky emoticon, at least. > > But which version of the site should get to declare where the delegation > should happen -- the version that has the bogus cert with SCTs from the > colluding logs, or the "real" version? > If you report every SCT you've seen to whichever site the session with a new SCT says, then eventually the good guy gets to see the bogus SCTs, right? In fact, you probably only need to report the previous SCT to the next SCT... > --dkg >
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
