- From: Eran Messeri <eranm@google.com>
- Date: Tue, 13 Dec 2016 11:42:55 +0000
- To: ietf-http-wg@w3.org
- Message-ID: <CALzYgEf+Cjd1v2wyg=iO61t0pf7gZpO9Y=r4C2Gra9Yx_hC0iA@mail.gmail.com>
While in theory this could be a TLS option, in practice, with the infrastructure deployed today, it would be very hard to deploy as a TLS option. One of the ways to support Certificate Transparency in an TLS connection is to send Signed Certificate TImestamp Lists in the TLS handshake (assuming the client advertises support for it). Deploying that feature, in Chrome, on Google's infrastructure and open-source HTTP servers, have taught us that this is a very invasive change that could break servers (simply by clients re-ordering the TLS extensions they support) and is not trivial to deploy (needs support in the underlying SSL library). Exactly for this reason a header is, IMHO, a good solution: It is much easier to set up and would help identify cases where a site owner believes their site supports CT, but it doesn't (if changing certificate issuance software / TLS servers was easy, we wouldn't have needed this feature in the first place).
Received on Tuesday, 13 December 2016 11:43:58 UTC