Come embrace the temptations of the Sea-SIDH! Intermediate certs are rarely used, so that would achieve 204 byte sig on intermediate+ 64 byte intermediate key + 204 byte sig of EE cert since the signing time doesn't matter. Then with SCT and OCSP, it's 204 bytes each.
As for the actual proposal, I like the idea of per-protocol subjects. I am worried about the way this makes the PKI a more distributed system, in the Lamportian sense. A certificate being used successfully depends now on the transparency service propagating the batch from the CA and the CA creating the batch, and the user-agent, not the site, determines what transparency service is used. This makes it much more difficult for sites to be sure their certificates will actually work. Sincerely, Watson Ladd -- Astra mortemque praestare gradatim _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
