W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2016

Re: Call for Adoption: Expect-CT

From: Alessandro Ghedini <alessandro@ghedini.me>
Date: Sat, 10 Dec 2016 14:15:14 +0000
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>, Patrick McManus <mcmanus@ducksong.com>
Message-ID: <20161210141514.25yserfi74cb3ppk@pinky.local>
On Fri, Dec 09, 2016 at 12:13:15PM -0800, Roy T. Fielding wrote:
> Why is this not a TLS option, preferably signaled by an attribute of the
> certificate itself?

I don't have strong opinions about HTTP header vs TLS extension, but making
this an x509 extensions would severely impact adoption of this mechanism in
the short and medium terms since it would require explicit support from CAs.

Might be worth noting that by using an HTTP header a site behind a third-party
CDN could in theory implement the mechanism itself without support from the
CDN (whether this is a useful thing is unclear though).

Cheers
Received on Saturday, 10 December 2016 14:15:45 UTC

This archive was generated by hypermail 2.3.1 : Saturday, 10 December 2016 14:15:52 UTC