[cabfpub] Updated Certificate Transparency + Extended Validation plan
Ben Laurie
benl at google.com
Tue Feb 4 20:54:13 UTC 2014
On 4 February 2014 20:50, Adam Langley <agl at chromium.org> wrote:
> On Tue, Feb 4, 2014 at 3:37 PM, Jeremy Rowley
> <jeremy.rowley at digicert.com> wrote:
>> Doesn't that simply require the cert user to either start using OCSP with an
>> embedded certificate or getting a new certificate from the user?
>
> If the certificate was used with OCSP stapling, the CA had a
> reasonably short OCSP validity window and the CA could update the SCT
> in the OCSP response quickly then that would solve the problem.
>
> However, for the purposes of this spec I don't think we said anything
> about that because of the complexity. Having multiple SCTs is clearly
> ok and that kept things simple.
Actually, we do. For the TLS extension and OCSP stapling a single SCT
is allowed.
More information about the Public
mailing list