While the mechanisms behind Certificate Transparency are technically capable of being used for X.509 certificates other than TLS server certificates, the current ecosystem is focused exclusively on TLS server certificates. This intent is captured in the abstracts of both RFC 6962 and -bis as well as policies defined by existing CT-enforcing user agents [1] [2].
Should a compelling need for non-TLS certificate transparency arise, current CT-enforcing user agents are very likely to insist that the set of CT Logs used for this new purpose are separate from the existing TLS CT Log ecosystem. There are several benefits of this: 1. Many other certificate types contain PII or other information that various laws require a service to be able to take down upon request, which conflicts with the append-only nature of CT. 2. Segmenting CT Log ecosystems by purpose insulates these CT Logs from possible mis-management of CAs in PKI ecosystems that are less scrutinized and maintained than the web PKI. While some progress is being made in reigning in S/MIME and code signing certificate issuance practices, there is a long way to go. 3. This segmentation also allows purpose-specific Monitoring/Auditing of CT Logs (e.g. a Monitor like CertSpotter or FaceBook not having to sift through the world's S/MIME or code signing certificates to notify you of a mis-issued TLS certificate). CT Monitoring is already a non-trivial task for the size of CT Logs that are intended to log only TLS certificates. -Devon [1] https://goo.gl/chrome/ct-policy [2] https://support.apple.com/en-us/HT205280 On Wed, Sep 18, 2019 at 9:35 AM Sherif Hanna <[email protected]> wrote: > Hello, > > > Is the CT approach intended to be used beyond monitoring/auditing X.509 > certificates for servers? For example, for X.509 certificates used for > code > signing? > > > Regards, > Sherif > > > _______________________________________________ > Trans mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/trans >
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
