On 18 December 2012 23:03, Stephen Farrell <stephen.farr...@cs.tcd.ie> wrote: > > > On 12/18/2012 12:19 PM, Ben Laurie wrote: >>> (13) 4.x - how does CT impact on the TLS server cert used for >>> these HTTPS connections? >> >> I presume you're afraid of some bootstrapping problem. > > Right. To be honest I still need to figure out that I agree > there's no gotcha there. > >> So, let's >> imagine a world in which no logs exist yet, but clients insist on CT >> for all new certs. How do we get off the ground? >> >> Easily: the log gets a cert from a CA _without_ an embedded SCT. It >> then logs it (using an internal API) to get an SCT, which it serves >> using a TLS extension. > > Ok, so do you need to say that clients interacting with a log > MUST be able to do CT and that CT SHOULD be used for such TLS > sessions?
No, I don't think so, I'm saying that _if_ they do CT we can still bootstrap :-) _______________________________________________ therightkey mailing list therightkey@ietf.org https://www.ietf.org/mailman/listinfo/therightkey