On 05/03/15 23:37, Tom Ritter wrote:
<snip>
Hi Tom. Thanks for that blog post. I'd been meaning to reply to your
websec post (that proposed HSTS "must staple") to propose HSTS "require
CT". :-)
> In reality, not so much. Certificate Authorities are gearing up to
> support CT, and if you work closely with one, you may even be able to
> purchase a cert with embedded SCTs. (DigiCert says all you have to do
> is contact them.) So depending on your choice of CA, you may be able
> to leverage this mechanism.
Comodo's CA system is capable of embedding SCTs in any cert we issue,
although we currently only do this by default for EV SSL certs.
> Getting an SCT into an OCSP response is probably trickier. Not only
> does this require the cooperation of the CA, but because most CAs
> purchase software and hardware to run their OCSP responders it also
> likely requires that vendor to do some development. I'm not aware of
> any CA that supports this mechanism of delivering SCTs, but I could
> be wrong.
We support this mechanism too, although I don't think any of our
customers are using it yet.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online