> (9) 3.1, " However, the log MUST refuse to publish > certificates without a valid chain to a known root CA." seems > to preclude any solution for self-signed certs or DNSSEC/DANE. > Is that a good plan? Maybe if you make it a positive "must > accept" then that'd avoid that problem? (If a good solution > for SSCs or DANE spam is figured out later.)
I think this has to exclude SSCs and DANE until we know how to deal with them, because otherwise a colluding CA and log could avoid blame on the CA by logging the end certificate, signed by, say, some one-off intermediate. This means we cannot weaken the MUST and still be able to blame the CA. We could add language to the effect that although this does exclude SSCs and DANE we welcome suggestions to allow their inclusion. _______________________________________________ therightkey mailing list therightkey@ietf.org https://www.ietf.org/mailman/listinfo/therightkey