> Lack of redaction has not prevented 6962 from being widely deployed. > There are more than a dozen logs in operation which contain over 24.5 million > distinct unexpired certificates.
We don't know that. What we do know is that the world's most-used browser is requiring it for some, soon all, certificates. I could claim that Chrome is the only reason why 6962 is deployed. And 12 logs is still one less than the number of root zone DNS servers :) > Privacy is something that needs to be considered, but that does not mean > redaction is the right solution. I would prefer that CT offer a strong > guarantee of transparency even if it means not logging every certificate. > 6962bis offers an option for privacy -- logging name constrained CA > certificates. And how much does it cost, on average, to get a name-constrained subCA from one of the trusted roots? (I have no idea; that's an honest question.) But should privacy only be limited to those who can afford to get one, or forced to buy a wildcard, or similar? The IETF considers privacy to be very important. Certificates should not be exempt from that. _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
