On Tue, Mar 31, 2020 at 6:24 PM A. Schulze <[email protected]> wrote:
> > > Am 12.03.20 um 19:51 schrieb Salz, Rich: > > This mail begins a one-week working group last call on > https://datatracker.ietf.org/doc/draft-ietf-acme-email-smime/?include_text=1 > (hopefully not to late ...) > > Hello @all, > > I became aware of a privacy problem once an ACME instance will implement > this draft: CT logs. > Usually the space of local parts for a domains email addresses is private.. > Enumeration is impossible and unwanted. > But CT logs change some assumptions people may have... Aren’t those concerns founded on certain assumptions that may not be entirely accurate? - That an ACME server (CA) implementing this is using the same trust hierarchy that they use for TLS? - This is forbidden by most major client software (to issue both from the same hierarchy) - That the CT logs intended for one protocol (e.g. TLS) accept certificates for other protocols - This is a bug in the current TLS CT logs being fixed (to properly exclude non-TLS certificates) Either, or both, of these issues mitigate the concern. However, it doesn’t seem this concern is related to the protocol, nor would this draft change anything (and was discussed heavily in TRANS) >
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
