[cabfpub] Question on CT: Monitoring
rob.stradling at comodo.com
Mon Jan 6 12:43:53 UTC 2014
On 06/01/14 10:56, Eddy Nigg (StartCom Ltd.) wrote:
> On 01/06/2014 12:17 PM, From Rob Stradling:
>> Are you saying that you require a certain proportion of your
>> subscribers to use 4096-bit keys?
> No, not yet - but we require minimum 2K keys....
>> The cut-off date for <2048-bit keys was a few days ago. May 2013 was
>> before the deadline, not after.
> ...since 2008!
So what? Were 1024-bit RSA keys considered insecure for authenticating
servers back in 2008?
>>> And I can give you a couple of more such examples if you want,
>>> setting the bar clearly higher.
>> Please do.
> No internal host names and IP addresses.
> No long living certificates.
> Validation requirement for certain purposes (as in code signing).
> And more...
I don't think this makes StartCom any less likely than any other CA to
make mistakes in the future, or to get hacked, or to be compelled by
government to mis-issue, etc.
CT is needed, irrespective of each CAs' past performance.
(BTW, if you think that the BRs don't set the bar high enough, please
propose changes to the BRs).
>> I don't want you to speak for Google either. I only asked you to
>> speak for yourself. ;-)
> That's what I do - CT is Google's project and if they have to say
> something they'll probably do that without hesitation :-)
Sure, but I asked "Do you have a better idea (than CT) for solving the
problem of detecting misissuances?"
I conclude that you don't.
I hope that you will embrace CT. :-)
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public