On Feb 16, 2013, at 10:22 AM, Phillip Hallam-Baker
<hallam(_at_)gmail(_dot_)com> wrote:
Looking at the CT proposal, it seems to me that we could fix the business
model issue and remove a lot of the CA operational issues as follows:
1) Each browser provider that is interested in enforcing a CT requirement
stands up a meta-notary server.
2) Each CA runs their own notary server and this is the only resource that
needs to have a check in at certificate issue.
3) Each CA notary server checkpoints to one or more meta-notary servers every
60 minutes. As part of the check in process it uploads the whole information
for all the certificates issued in that time interval.
4) Meta-Notaries deliver tokens that assert that the CA notaries are current
every 60 minutes. Note here that 'current' is according to the criteria set
by the meta notary. This is an intentional piece of 'slop' in the system.
5) The OCSP tokens delivered by the CA contain the information necessary to
checkpoint the certificate to the Meta-Notaries.
6) A browser enforcing CT disclosure pulls a list of anchor points from its
chosen meta-notary every 60 minutes and uses them to validate the CT
assertions delivered in certs.
Are you saying that those six items should be added to the experimental RFC as
requirements, or are you just discussing what might happen operationally after
the RFC is published?
--Paul Hoffman