#152: Architecture document: CT-aware TLS clients may require SCTs for all certs
Comment (by [email protected]): The architecture document is not written in the future optimistic tense ;-). While I agree that there is a goal for every server cert to be accompanied by (or to contain) an SCT, it seems inappropriate fort this document to state that browsers are expected to reject any cert that fails this criteria. I plan to revise the text as follows: Thus CT-aware TLS clients are not expected to fetch an inclusion proof in realtime, e.g., during TLS connection establishment. Such clients also are not expected to reject a certificate that has no associated SCT, because there is no plan for incremental deployment of CT that accommodates such rejection in a backwards compatible fashion. -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-trans- [email protected] | [email protected] Type: defect | Status: new Priority: major | Milestone: Component: client- | Version: behavior | Resolution: Severity: - | Keywords: | -------------------------+------------------------------------------------- Ticket URL: <https://trac.tools.ietf.org/wg/trans/trac/ticket/152#comment:1> trans <https://tools.ietf.org/trans/> _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
