On Wed, Jun 7, 2017 at 9:29 AM, Magnus Ahltorp <[email protected]> wrote: > CAs cannot be held responsible for domain-validated certificates for the > simple reason that they don't have documentation, and therefore cannot be > required to produce documentation, which means that they can claim anything. >
At the risk of going offtopic, by broadening into policy discussions, at least with respect to the Web PKI - which is certainly the only (publicly) deployed instance of CT, https://cabforum.org/baseline-requirements-documents/ govern and https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.5.pdf applies (Sections 3.2.2.4 & .5 and Section 5.4) TL;DR: Yes they do produce documentation, no, they cannot claim anything. > It is definitely possible to generate new timestamps and not log them, but > I was rebutting "they don't have to produce the list of SCTs they've > signed", which is not true, unless "don't have to" is different from "not > required to". Logs are required to produce the list of all timestamps they > have signed when MMD has passed. That is what it means to be a log. I'm not sure your usage of "required" to. If you mean in the abstract, philosophical sense - yes, a well-behaving log is expected to do so. However, an evil log can lie - and not produce such timestamps, by not integrating them into the log, despite having signed them. Which was the point - only an Honest Log can audit the production of all of its SCTs and make sure they're integrated, but the concern here is about a Dishonest Log, which would only integrate some of the SCTs into the STH.
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
