On Mon, Mar 6, 2017 at 1:36 PM, Ryan Sleevi <[email protected]> wrote: > On Mon, Mar 6, 2017 at 4:22 PM, Ben Laurie <[email protected]> wrote: >> >> I think you can waste a lot of brainpower on redaction, but really the >> answer is: if you don't want to publish your names, then don't use a >> mechanism that requires you to. There are alternatives: name-constrained >> sub-CAs. Private CAs. You can even have private CT to go along with them. >> Why mess up a protocol whose intent is to show everything? > > Name-constrained sub-CAs have not been accepted by Chrome as a redaction > mechanism. They were moved to the redaction spec precisely because they are > a variation of redaction.
Yes, Ryan hit the nail on the head. I'm trying to waste brainpower on coming up with a plan Chrome will accept that allows named-constrained sub-CAs not log the full details of all the certs they issue. If Chrome had accepted logging the named-constrained CA certificate in lieu of logging the end-entity certificate, we would be done. Thanks, Peter _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
