> That doesn't address the issue. Where can a startup, in stealth mode, go to > get such a cert? > Can you please elaborate on this scenario? Is it a startup with > topsecretname.com? or topsecretproject.publicstartupname.com? I can't see > redaction for >the former (?.com) allowed in any scenario, and a wildcard > cert (*.publicstartupname.com) would cover the other.
It's the latter, of course. And a wildcard covers more. And a skunkworks or secret project would not want the generic wildcard, and vice-versa. >It doesn't. CT describes a protocol/mechanism for publicly disclosing certs, >TLS client software in general (and browsers in particular) would decide on >whether it's required. But name redaction greatly limits the choice. > And it should not limit privacy to those with deep pockets. > This is where I truly lack data/insight. From a technical perspective, > redaction with a name-constrained intermediate is equivalent to redaction of > domain name labels but I don't know how much more work it is for a CA to set > up (technical arguments on why they may not be equivalent are _very_ relevant > to this discussion). Go ask the folks who run pki.google.com how much is involved. > Redaction can also be achieved by certificates with wildcards, so the only > reason (I can see) to use 6962-bis redaction is to redact multiple levels of > a domain name. The original chromium proposal, right? >If only we could separate the two. But you can't. Trust is a business and branding issue. _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
