On Thu, Sep 26, 2013 at 5:35 PM, Ben Laurie <b...@google.com> wrote: > On 26 September 2013 15:44, Joseph Bonneau <jbonn...@gmail.com> wrote: > > > >> >> Not sure what the question is - as the doc says, the list will be > >> >> constructed from the logs... > >> > > >> > > >> > I think I read it incorrectly as "without an embedded CT from *any* > >> > qualify > >> > logs" instead of "from all qualifying logs." Now I can see how the > >> > whitelist > >> > is created, but I'm less clear on what the intention of it is. Is the > >> > assumption that some certs will be issued with more than zero but > fewer > >> > than > >> > three SCTs (proposed to the minimum acceptable in the "Qualifying > >> > Certificates" section) and you'd like to whitelist such certs during > the > >> > rollout period? > >> > >> Ah. So, all existing certs do not have embedded SCTs. So, we either > >> wait until all existing certs expire before we can enforce CT, or we > >> whitelist the unexpired certs. > > > > > > I think I'm back to my original question now :-) How do all the existing > > certs get into the CT log? (at which point building the whitelist is > easy) > > Is the onus on EV users then to log their old certs or face failing in > > Chrome? Or do EV-issuing CAs have sufficient records of what they've > issued? > > My assumption is that this is true. If it's not, then CAs need to tell us > :-) >
CAs are required to retain records for audit, and are required to pass audit to obtain EV status in the first place, so I would very much hope it's not an unreasonable assumption :) > > Or is this something that we're hoping can be (at least mostly) achieved > by > > network observation? > > This is also likely. > _______________________________________________ > therightkey mailing list > therightkey@ietf.org > https://www.ietf.org/mailman/listinfo/therightkey >
_______________________________________________ therightkey mailing list therightkey@ietf.org https://www.ietf.org/mailman/listinfo/therightkey