Re: Mandatory conformance statement for CT guidelines

I do not quite get the point of this. Of course the guidelines mandate disclosure of an ICS for those deployments that claim conformance. Those that do not want to claim conformance are not obliged to publish an ICS -- whether they actually conform to the guidelines or not. 

The probable scenario regarding this aspect is a CT vendor claiming conformance to a customer (i.e. an operator), but not wanting to make public the corresponding ICS. This is a tantamount to letting some unscrupulous CT vendor install its software and then telling its customer "The deployment conforms to the W3C guidelines. Here is the ICS. Trust us." This would not be acceptable because:
a) In the absence of a standard, W3C-defined and controlled comprehensive test suite, customers cannot verify the claims of the vendor according to a standard specification -- even while keeping the entire procedure confidential.
b) In the absence of a published ICS, the community of developers cannot test and verify that the deployment actually fulfils the requirements of the guidelines.

In any case, conformant CT disclose their presence in the HTTP header field "Via" -- so what is exactly the objective of denying its existence when it cannot keep it confidential?


E.Casais


      

Received on Monday, 7 June 2010 10:28:20 UTC