Chrome is updating it's CT log policy to a clarify permissible logging rejection criteria:https://github.com/GoogleChrome/ct-policy/pull/9/files …
Why does it make sense to reject revoked certificates if clients do t reliably check for revocation?
-
-
Think of it as an optional policy that come April when Chrome is enforcing SCTs will give logs the flexibility to prevent log flooding.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Because stapling will soon become the norm (he says hopefully)
-
Also, this only gives log operators the permission to choose, not that log operators are required to reject those certs.
-
If we don't trust the CA, how can we trust the revocation status from the CA? Especially given that there are many OCSP responses per cert.
-
I guess it makes sense if/when the client rejects certificates w/o valid SCTs.
-
True, but then the true value of CT only occurs when it's required for all certs so I presumed that as the end state.
-
Disagree. 1) EV is in that state already, 2) It is true that CT for DV until enforced is largely herd immunity and best effort but ...
-
That doesn't mean not valuable in this transitory state and this change wouldn't weaken that situation at all.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.