[cabfpub] Question on CT: Monitoring
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Sat Dec 21 18:32:50 UTC 2013
On 12/21/2013 12:24 AM, From Rob Stradling:
> Indeed. However, apparently it took 9 days for them to discover the
> breach. CT would've hopefully helped them notice quicker (and it
> certainly would've made a cover-up impossible!)
Just to be clear - I'm absolutely not against the original idea and
effort to find a solution to this problem if that is possible. And such
a solution could come with different flavors - nobody forced the
software vendors to accept every national/local/regional CA on a global
basis for example.
But as far as I see it, the CT proposal is that intrusive for us in so
many aspects (infrastructure, business model, personnel and more) that
I'm not sure if we are willing or can pay the price for it. Specially
when we have proven utmost diligence what our operation concerns - just
see http://www.netcraft.com/internet-data-mining/ssl-survey/ as an example:
The distribution of key lengths, however, varies significantly
between different CAs. For example, in May 2013, StartCom had issued
no certificates with an RSA public key shorter than 2048-bits and
almost 20% are 4096-bits long, more than any other major CA.
Everything should remain reasonable however and I don't believe there is
100% security as mistakes can and will happen (not only with CAs, but
the entire ecosystem including software). This is something we all
clearly should keep in mind all the time (if you are looking for 100%
stop using the Internet because it doesn't exist). There can be however
100% effort which we should expect from all certificate authorities or
otherwise don't run one.
Regards
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20131221/1df87c4b/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20131221/1df87c4b/attachment-0001.p7s>
More information about the Public
mailing list