Re: Call for Adoption: Expect-CT

On Fri, Dec 09, 2016 at 12:13:15PM -0800, Roy T. Fielding wrote:
> Why is this not a TLS option, preferably signaled by an attribute of the
> certificate itself?

I don't have strong opinions about HTTP header vs TLS extension, but making
this an x509 extensions would severely impact adoption of this mechanism in
the short and medium terms since it would require explicit support from CAs.

Might be worth noting that by using an HTTP header a site behind a third-party
CDN could in theory implement the mechanism itself without support from the
CDN (whether this is a useful thing is unclear though).


Received on Saturday, 10 December 2016 14:15:45 UTC