Re: Call for Adoption: Expect-CT

While in theory this could be a TLS option, in practice, with the
infrastructure deployed today, it would be very hard to deploy as a TLS
One of the ways to support Certificate Transparency in an TLS connection is
to send Signed Certificate TImestamp Lists in the TLS handshake (assuming
the client advertises support for it).

Deploying that feature, in Chrome, on Google's infrastructure and
open-source HTTP servers, have taught us that this is a very invasive
change that could break servers (simply by clients re-ordering the TLS
 extensions they support) and is not trivial to deploy (needs support in
the underlying SSL library).

Exactly for this reason a header is, IMHO, a good solution: It is much
easier to set up and would help identify cases where a site owner believes
their site supports CT, but it doesn't (if changing certificate issuance
software / TLS servers was easy, we wouldn't have needed this feature in
the first place).

Received on Tuesday, 13 December 2016 11:43:58 UTC