On-list discussion of https://github.com/yaronf/I-D/issues/273
This is about section 6.5, “Certificate Revocation”
Starting the bullet list saying “CRLs are the most widely supported mechanism”
should really have a qualifier. Something like “While in the general PKI case,
CRL’s are …” I mean, if they actually *were* the most widely supported, then
browsers would do it. :)
More importantly, however, I think this best practices document should say
something about Certificate Transparency.
For example, the first set of bullets could have something like this:
Certificate Transparency {RFC6962} and {RFC9162} provides a
mechanism for CA’s and clients to have greater confidence that a certificate
has been properly issued. As described in {RFC9162, Section 6} CT information
can be transmitted as extensions during the TLS handshake, often piggy-backed
with OCSP information. It has similar issues to OCSP as described above.
The numbered set of items could have:
4. Clients MAY wish to support CT, using the mechanisms
described in {RFC9162}
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
