Redaction (4.2) should stay. It provides a necessary mechanism for domain owners to protect the privacy and security of their domains when participating in certificate transparency. With redaction, domain owners are able to get the full benefits of monitoring certificates issued to their domains and also get the privacy protection they need. We have talked extensively with customers who have validated the requirement for privacy. Since we rolled out redaction support several days ago, we have already had hundreds of customers select this option for over 1500 certificates.
Other solution paths, while fail to support all of the key use cases like name redaction can: Wildcards this could work for some organizations, however it is common for large enterprises to have explicit IT policies prohibiting the use of wildcard certificates. Name Constrained Intermediate this has proven to be unmanageable as it is doesn¹t enable additional domains to be added later, a key use case for most customers. Private CA this too can work but is relevant only for non-browser use cases. Customers consistently choose publicly trusted certificates for internal sites for root ubiquity and manageability. Thanks, Sanjay On 6/14/16, 9:03 PM, "Melinda Shore" <[email protected]> wrote: >Hi, all: > >As we approach the end of working group last call on 6962-bis, >it looks like we have an unresolved question about whether >name redaction should stay or go. I just went through the >mailing list archive and it looks like we have squishy >agreement that it should go (for example, Rob's comment: >"Regarding fixing it: I'd rather nuke the redaction >option than add further complexity."). So, if anybody has >particularly strong feelings about this, or disagrees >about removing name redaction, please weigh in. > >Thanks, > >Melinda > >_______________________________________________ >Trans mailing list >[email protected] >https://www.ietf.org/mailman/listinfo/trans _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
