#154: CSR extension to convey a certificate subscriber's CT preferences to the CA
Some certificate subscribers might want to communicate various CT-related things to the CA. For example... - Please generate a Precertificate and then embed SCTs in the certificate. - I'm using OCSP Stapling; please embed SCTs in OCSP Responses for this certificate. - Please embed inclusion proofs (rather than SCTs) in the certificate; I accept that this will delay issuance of the certificate. - Please embed SCTs from as many logs as possible. - Please embed SCTs from logs X, Y and Z, and not from logs A, B or C. - Please do _not_ log this certificate to any logs; I accept that some TLS clients may reject the certificate due to CT non-compliance. Some CAs might permit these sorts of details to be specified in a <form> on a webpage when the subscriber requests the certificate. That's great, but it probably won't work for everyone. In particular, putting this information in a CSR extension would make it possible to tunnel it through ACME or via a certificate reseller. (I'm assigning this ticket to the rfc6962-bis component for now, but I see no particular reason why it couldn't be punted to some other document. I don't want this ticket to delay WGLC for 6962-bis). -- -------------------------------------+------------------------------------- Reporter: | Owner: [email protected] | [email protected] Type: enhancement | Status: new Priority: major | Milestone: Component: rfc6962-bis | Version: Severity: - | Keywords: -------------------------------------+------------------------------------- Ticket URL: <https://trac.tools.ietf.org/wg/trans/trac/ticket/154> trans <https://tools.ietf.org/trans/> _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
