[cabfpub] Question on CT: Monitoring
rob.stradling at comodo.com
Fri Jan 3 16:25:55 UTC 2014
On 21/12/13 18:32, Eddy Nigg (StartCom Ltd.) wrote:
> On 12/21/2013 12:24 AM, From Rob Stradling:
>> Indeed. However, apparently it took 9 days for them to discover the
>> breach. CT would've hopefully helped them notice quicker (and it
>> certainly would've made a cover-up impossible!)
> Just to be clear - I'm absolutely not against the original idea and
> effort to find a solution to this problem if that is possible.
> And such a solution could come with different flavors - nobody forced the
> software vendors to accept every national/local/regional CA on a global
> basis for example.
How would restricting national/local/regional CAs do anything to solve
the problem of detecting misissuances ?
> But as far as I see it, the CT proposal is that intrusive for us in so
> many aspects (infrastructure, business model, personnel and more) that
> I'm not sure if we are willing or can pay the price for it.
Can I urge you to at least sit down and read RFC6962?
> Specially when we have proven utmost diligence what our operation concerns
DigiNotar had audit reports proving their utmost diligence too.
Everything seemed fine...
> - just
> see http://www.netcraft.com/internet-data-mining/ssl-survey/ as an example:
> The distribution of key lengths, however, varies significantly
> between different CAs. For example, in May 2013, StartCom had issued
> no certificates with an RSA public key shorter than 2048-bits and
> almost 20% are 4096-bits long, more than any other major CA.
How does your customers' choice of key length reduce the chances of
StartCom misissuing certs in the future?
> Everything should remain reasonable however and I don't believe there is
> 100% security as mistakes can and will happen (not only with CAs, but
> the entire ecosystem including software).
Yes, and CA compromises can and will happen too.
> This is something we all clearly should keep in mind all the time (if you
> are looking for 100% stop using the Internet because it doesn't exist).
> There can be however 100% effort which we should expect from all certificate
> authorities or otherwise don't run one.
However, 100% effort won't prevent misissuances. Therefore, we need to
solve the problem of detecting misissuances.
Do you have a better idea (than CT) for solving the problem of detecting
misissuances? If so, please write it up as an Internet Draft.
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public