The ticket said:
Section 12.1 contradicts text in Section 9.2. 12.1 says that a mis-issued certificate that has not been logged is not compliant, whereas 9.2 says that any certificate not accompanied by an SCT is non-complaint. these are distinct ways of being non-compliant. The discussion of the security implications of mis-issued certificates relative to logging is more accurately described in the attack/threat model. The Security Considerations section should use text from that document when addressing most of what is discussed in 12.1, 12.2, and 12.4.
I still maintain that this is an inconsistency in the text.
#136: inconsistent discussion of mis-issued certs and compliance Changes ([email protected]): * milestone: => review Comment: What is inconsistent about that? If a certificate has not been logged, it necessarily cannot be accompanied by an SCT and is therefore non- compliant.
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
