Ben,
...
For what it's worth, I do not read 6962-bis as "very much being focused" on
CA-based logging. Consider, for example, certificate subjects submitting
certificates to logs, something that is done without CA involvement and can
be done in response to (e.g.) Logs being distrusted or browsers increasing
the required number of SCTs. It's unclear that CAs have as much incentive
as subjects to be responsive to changing events in this way.
-Ben
I agree that a diligent Subject can benefit from submitting its cert to
a Log, to receive an SCT and, optionally an STH. When CT was initially
proposed, the CA-submission approach was emphasized, because it was
perceived as easier to "persuade" the relatively small number of CAs to
submit pre-certs/certs, vs. the very large number of web sites. Also,
since we have seen many web sites sending expired certs to browsers
during TLS session establishment, one can question how diligent these
website will be when dealing with the additional administrative burdens
imposed by CT. But, for diligent website operators, Subject submission
does offer benefits.
Note that I made a number of changes to the text to address many of
Ryan's latest set of comments, in a message posted a few minutes ago.
Included in these changes is a revision of Figure 1 to show CA and
Subject submission of certs to Logs.
Steve
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
