That is correct. While this is slightly drifting out of the scope of TRANS and the RFCs and into user agent policy, there is not currently a technical limitation on which types of leaf certificates are logged to existing CT Logs, except that they must chain to the set of roots specified by the Log. Chrome, for example, also allows a Log to reject a certificate logging request if the certificate is expired, revoked, or expires outside of a certain time period if such a period is specified by that Log.
Speaking for one user agent only, I can say Chrome is considering requiring Logs verify that a certificate is a TLS certificate (expressed via EKUs) in order to be logged; however, there are myriad ways in which PII or sensitive information can be added to even TLS certificates. User agent CT policy is evolving over time, and if embedding such information becomes a serious issue, it will be addressed via updates to that policy. -Devon On Wed, Sep 18, 2019 at 11:40 AM Taavi Eomäe <[email protected]> wrote: > > 1. Many other certificate types contain PII or other information that > various laws require a service to be able to take down upon request, which > conflicts with the append-only nature of CT. > > Just wanted to add one thing about this benefit: I am pretty sure even > current CT logs allow appending certificates that contain PII and conflict > with the append-only nature of CT. > >
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
