> >> Not sure what the question is - as the doc says, the list will be > >> constructed from the logs... > > > > > > I think I read it incorrectly as "without an embedded CT from *any* > qualify > > logs" instead of "from all qualifying logs." Now I can see how the > whitelist > > is created, but I'm less clear on what the intention of it is. Is the > > assumption that some certs will be issued with more than zero but fewer > than > > three SCTs (proposed to the minimum acceptable in the "Qualifying > > Certificates" section) and you'd like to whitelist such certs during the > > rollout period? > > Ah. So, all existing certs do not have embedded SCTs. So, we either > wait until all existing certs expire before we can enforce CT, or we > whitelist the unexpired certs.
I think I'm back to my original question now :-) How do all the existing certs get into the CT log? (at which point building the whitelist is easy) Is the onus on EV users then to log their old certs or face failing in Chrome? Or do EV-issuing CAs have sufficient records of what they've issued? Or is this something that we're hoping can be (at least mostly) achieved by network observation?
_______________________________________________ therightkey mailing list therightkey@ietf.org https://www.ietf.org/mailman/listinfo/therightkey
