Hi, This issue has been discussed in the past, at least on one CT policy day I recall.
There's currently no mechanism to remove a certificate from a public log - mechanisms to do so were proposed (e.g. replacing the certificate with a leaf that contains only its hash and a forward-pointer to a record in the log explaining why it was removed) but IIRC the consensus was that all such mechanisms would be open to mis-use as there would be no way to automatically/programatically verify that the reason specified for a removal of a certificate is a valid one. Eran On Tue, Mar 5, 2019 at 12:51 AM Taavi Eomäe <[email protected]> wrote: > Hi > > I hope this is the right place to ask this question. The question itself > is quite simple, how resilient is Certificate Transparency logs to GDPR > takedown requests and what are the methods of removing a certificate from > public logs without compromising the integrity of the logs? > > The reason why I'm asking this seemingly simple question is because > Estonia has been issuing certificates to it's citizens since 2003, they're > issued by a public CA and some of the certificates already exist in current > logs ( > https://ct.googleapis.com/rocketeer/ct/v1/get-entries?start=110654446&end=110654446 > <https://www.google.com/url?q=https://ct.googleapis.com/rocketeer/ct/v1/get-entries?start%3D110654446%26end%3D110654446&sa=D&usg=AFQjCNEbCbHE9OvVwN9nQWP0i2m38mSbcw>). > But if I'm not mistaken, GDPR applies to CT as well, those certificates > contain PII, thus those certificates should be under the "mercy" of who's > PII it is, but as far as I've searched, noone has discussed this > previously, am I wrong? > > > > > > Taavi Eomäe > _______________________________________________ > Trans mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/trans >
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
