[cabfpub] [therightkey] Updated Certificate Transparency + Extended Validation plan

[Rick Andrews]

Ben,

Can you clarify something? The SCT delivery options described in the RFC are options for the web site owner, not for the CA. CAs will need to support all three options. We will have customers who won’t do stapling and can’t handle TLS extensions, so they just want the SCTs embedded in the cert. But not all customers will prefer that option. I believe other customers will want the SCT-in-the-OCSP-response or TLS extension option, because in those options you don’t have to transmit the SCTs in every SSL handshake. I suspect some of our large customers who are obsessed with performance will demand one of these options.
 
So CAs will need to support all three options, unless you’re so small a CA that your few EV customers agree on one option. Is that your expectation?

-Rick

> -----Original Message-----
> From: therightkey [mailto:therightkey-bounces at ietf.org] On Behalf Of
> Ben Laurie
> Sent: Tuesday, February 04, 2014 9:08 AM
> To: CABFPub; certificate-transparency at googlegroups.com;
> therightkey at ietf.org
> Subject: [therightkey] Updated Certificate Transparency + Extended
> Validation plan
> 
> Enclosed, our revised plan.
> 
> Comments welcome.