> > Use short-lived certificates > > This doesn't make sense to me. A short lived cert will be permanently logged > in CT. > In fact using shorter certs means more entries for the onion service in the > CT log - making it easier, not harder, to find.
The assumption is that the information being logged might change, so it limits the exposure, but maybe that’s not valid. > > Use a separate domain/key pair > > This goes counter to the whole idea of a PKI. Using a cert for a.onion on > b.onion asserts very little useful. Well, this is onion we’re discussing here, but point taken. :-) > > CT Exemption Advocacy > > I don't think an RFC is the place to advocate for changes in a different > organization, but otherwise agreed. > > I will incorporate the rest of your comments as appropriate. Regards, Derrell _______________________________________________ Acme mailing list -- acme@ietf.org To unsubscribe send an email to acme-le...@ietf.org
