> > Use short-lived certificates > > This doesn't make sense to me. A short lived cert will be permanently logged in CT. > In fact using shorter certs means more entries for the onion service in the CT log - making it easier, not harder, to find. The assumption is that the information being logged might change, so it limits the exposure, but maybe that’s not valid. > > Use a separate domain/key pair > > This goes counter to the whole idea of a PKI. Using a cert for a.onion on b.onion asserts very little useful. Well, this is onion we’re discussing here, but point taken. :-) > > CT Exemption Advocacy > > I don't think an RFC is the place to advocate for changes in a different organization, but otherwise agreed. > > I will incorporate the rest of your comments as appropriate. Regards, Derrell -- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
