On Fri, Sep 28, 2018 at 4:39 PM Tim Hollebeek <[email protected]> wrote:
> My comment is correct for the situation as it largely exists today. > > > That it might be different in the future is a fair point. > > No, it isn’t, as the numbers I just referenced should have made clear that I am speaking about today, not the future. The view that SCTs have to be included in certificates is not correct - not correct by the text, not correct by the existing policies, and not correct by the deployed reality. It is mistaken to keep suggesting such, because this can be empirically demonstrated as not correct. You can see this through the widescale deployment of Expect-CT by some cloud providers - demonstrating millions of active sites, with both existing and new certificates, without embedded SCTs. That this is both the deployed reality and consistent with the -bis recommendation is precisely why any attempt to ignore this is unproductive to understanding the system as written. Further, given how 6962 evolved - in which the largest adoption came as large cloud providers automatically provided SCTs via TLS, and further supported the ecosystem investigation while CAs waited for the ecosystem to require it - it is entirely reasonable to say that every bit of available evidence supports a view that -bis will be deployed in the same way, with SCTs provided by all three methods.
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
