On Mon, Oct 24, 2016 at 5:03 AM, Rob Stradling <[email protected]> wrote: > That said, if you're certain that Chrome won't accept SCTs for > name-constrained intermediates as currently defined in 6962-bis, then > I'd be in favour of moving this feature to the Redaction draft. Since > we've completed WGLC for 6962-bis, I presume this possible course of > action would be a matter for the WG chairs and/or Area Directors to > consider.
I can't say with certainty, because I think it touches back on the issues previously discussed in the CA/Browser Forum and in Chromium CT Policy list - which is that a variety of solutions exist, some technical and some policy, and the appropriate solution will likely sit somewhere between the both. My goal in sending this was to check to see whether there was consensus, say, for a client rejecting EE certs that were accompanied by SCTs from name-redacted CAs, because in talking with various people involved in the space, I was seeing conflicting answers about "what the spec said". Your interpretation is aligned with how I saw it - that client policy dictates the acceptable form of SCTs - which, to me, also implies that a client that only wishes to recognize EE SCTs does not even need to parse/recognize such SCTs. That is, the spec describes the technical means for it, but it's not mandatory for clients to accept/recognize it as complying with policy. That's why I hoped that, if there's consensus on that interpretation, it might be seen as a an opportunity wording tweak that doesn't undermine consensus, rather than a more significant action (like moving to a redaction spec) _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
