On Tue, Jun 14, 2016 at 9:03 PM, Melinda Shore <[email protected]> wrote: > As we approach the end of working group last call on 6962-bis, > it looks like we have an unresolved question about whether > name redaction should stay or go. I just went through the > mailing list archive and it looks like we have squishy > agreement that it should go (for example, Rob's comment: > "Regarding fixing it: I'd rather nuke the redaction > option than add further complexity."). So, if anybody has > particularly strong feelings about this, or disagrees > about removing name redaction, please weigh in.
I disagree with removing name redaction. There is value in having redacted certificates and it isn't questionable that having some info is better than none. For example, a CA could choose to log every certificate but redact some. This would make it very clear if a "rogue" certificate should up that didn't match any certificate on record. Symantec has also shown there is customer demand for redacted certificates -- they swapped their default to "log full certificate" a couple of weeks ago and have had several hundred certificates explicitly opt for redaction. From the domains, it seems that it is a number of different customers spanning multiple countries and types of organizations (commercial, government, non-profit, etc). I think redaction should stay. Thanks, Peter _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
