#146: SCT Feedback doesn't account for privacy-sensitive EE certs
Comment (by [email protected]): No, I agree. Not because the server doesn't know about the certificate, but because the server is expected to share that exact same data with Auditors (either pushing the data or making available for polling.) So I'm wondering: should clients not post redacted certificates to the servers they came from.... or should servers be expected to hide their redacted certificates from auditors? I lean towards the latter. a) If a server was attacked, their should get the details of that attack, not have it hidden by an attacker who chose to get a redacted SCT b) the server wants to keep the data private, they can do the extra work -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-trans-threat- [email protected] | [email protected] Type: defect | Status: new Priority: major | Milestone: Component: gossip | Version: Severity: - | Resolution: Keywords: | -------------------------+------------------------------------------------- Ticket URL: <https://trac.tools.ietf.org/wg/trans/trac/ticket/146#comment:2> trans <https://tools.ietf.org/trans/> _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
