On 14/04/15 12:38, Kurt Roeckx wrote:
On 2015-04-14 01:15, Peter Kurrasch wrote:
Let's use an example. Suppose CNNIC issues a cert for
whitehouse[dot]gov and let's further suppose that CNNIC includes this
cert in the CT data since they have agreed to do that. What happens next?
What I've been wondering about is whether we need a mechanism where the
CT log should approve the transition from one issuer to an other.
Kurt, isn't CAA (RFC6844) the tool for this job?
I image something like:
Issuer A: issue subject
Issuer B: Intend to issue subject
Issuer A: Allow migration to Issuer B of subject
Issuer B: issue subject
If we want go to with something like that, we probably need to think
about how this would work with multiple SANs and not migrating all of
them and things like that.
(This is probably more a discussion for the CT list, feel free to bring
it up there.)
Kurt
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
