[cabfpub] Question on CT: Monitoring

Ben Laurie benl at google.com
Mon Jan 6 13:02:43 UTC 2014

On 6 January 2014 12:49, Ben Laurie <benl at google.com> wrote:
> On 3 January 2014 23:48, Eddy Nigg (StartCom Ltd.)
> <eddy_nigg at startcom.org> wrote:
>> I met recently with a representative of Google working on this project (am I
>> allowed to publish that?)
> Sure.
>> and I believe there is a way forward with CT.
>> Slightly different than it started, but in my opinion better and the most
>> sever problems affecting CAs in respect to the CT proposal can be apparently
>> easily solved with achieving the same end-result which is the most important
>> thing here. But I don't want to speak for them or put anything into their
>> mouth.
> We suspect that you are referring to serving SCTs in TLS extensions.
> It would be helpful if you'd confirm that.
> Whilst it is certainly true that this would reduce the burden on CAs
> to zero, it will also increase the rollout time to something like 10
> years or more. So, that is not a plan we intend to pursue.

To clarify (as the next paragraph suggests) there's no plan to change
the current situation, i.e. that SCTs can be served in certificates,
in TLS extensions or in stapled OCSP extensions.

What we won't do is delay rollout until all servers are updated to do
TLS extensions/OCSP stapling.

> Note that CAs who are content to only sell to people with updated
> servers can certainly take advantage of this to avoid any extra work.
> If you're thinking of something else, please say what.

More information about the Public mailing list