On 20 July 2016 at 04:51, Yaron Sheffer <[email protected]> wrote: > 4. Option 1 looks to the ACME server as a normal cert request, and > therefore will swamp the CT logs with lots of short-term certs. With > Option 2, we can log to CT the issuance of the delegation ticket instead > of the actual certificates.
I think the CT community would strongly oppose this notion (I know I would.) As a domain owner, I want to know what certificates are issued for me - that is the purpose of CT. Logging a delegation ticket does not accomplish this. An attacker who compromises the delegation ticket has free reign and I would never know. Maybe there is a way to make this possible, similar to redacted certificates, but since implementors of CT can't agree on a good way to make redaction work functionally, it seems unlikely this would be adopted by CT in the short order. -tom _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
