On 26 September 2013 15:44, Joseph Bonneau <jbonn...@gmail.com> wrote: > >> >> Not sure what the question is - as the doc says, the list will be >> >> constructed from the logs... >> > >> > >> > I think I read it incorrectly as "without an embedded CT from *any* >> > qualify >> > logs" instead of "from all qualifying logs." Now I can see how the >> > whitelist >> > is created, but I'm less clear on what the intention of it is. Is the >> > assumption that some certs will be issued with more than zero but fewer >> > than >> > three SCTs (proposed to the minimum acceptable in the "Qualifying >> > Certificates" section) and you'd like to whitelist such certs during the >> > rollout period? >> >> Ah. So, all existing certs do not have embedded SCTs. So, we either >> wait until all existing certs expire before we can enforce CT, or we >> whitelist the unexpired certs. > > > I think I'm back to my original question now :-) How do all the existing > certs get into the CT log? (at which point building the whitelist is easy) > Is the onus on EV users then to log their old certs or face failing in > Chrome? Or do EV-issuing CAs have sufficient records of what they've issued?
My assumption is that this is true. If it's not, then CAs need to tell us :-) > Or is this something that we're hoping can be (at least mostly) achieved by > network observation? This is also likely. _______________________________________________ therightkey mailing list therightkey@ietf.org https://www.ietf.org/mailman/listinfo/therightkey