<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
On 12/18/2013 08:11 PM, From Ryan Sleevi:
<blockquote
cite="mid:CACvaWvbB8F+E8udg1DMdQDQEFfJ9uR13YyUPh6YVQ1QWBtbzyA@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
<div>
<div class="gmail_extra">
<div class="gmail_quote">
<div>Auditors are not equivalent to site operators. Site
operators carry great risk in pinning and getting it
right <br>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
Site operators don't do pinning I guess...<br>
<br>
<blockquote
cite="mid:CACvaWvbB8F+E8udg1DMdQDQEFfJ9uR13YyUPh6YVQ1QWBtbzyA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>Pinning offers the ability for anyone, without risk
to their operational capability, to look to examine for
misissuance - past or present.</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
I think you meant something else here...<br>
<br>
<blockquote
cite="mid:CACvaWvbB8F+E8udg1DMdQDQEFfJ9uR13YyUPh6YVQ1QWBtbzyA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>Every single public CA security incident we have seen
in the past 3 years would have been detected immediately
from a system like CT.</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
Maybe...it's just another layer really. <br>
<br>
<blockquote
cite="mid:CACvaWvbB8F+E8udg1DMdQDQEFfJ9uR13YyUPh6YVQ1QWBtbzyA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div class="gmail_extra">
<div class="gmail_quote">
<div>Trustwave, Diginotar, Turktrust, and most recently,
ANSSI were all detected through luck and vigilance, and
only because they happened to affect a large site whose
engineers are using every means capable to them to
attempt to detect such mis-issuance.</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
I assume it was detected because said large site also produces a
browser and used pinning to detect it.<br>
<br>
<blockquote
cite="mid:CACvaWvbB8F+E8udg1DMdQDQEFfJ9uR13YyUPh6YVQ1QWBtbzyA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>For all we know, there may be thousands of other
misissuances from existing CAs</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
Probably exaggerated, but there might be a couple more...<br>
<br>
<blockquote
cite="mid:CACvaWvbB8F+E8udg1DMdQDQEFfJ9uR13YyUPh6YVQ1QWBtbzyA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div class="gmail_extra">
<div class="gmail_quote">
<div>CT makes it possible for anyone - from Joe Schmo on
the street with his $10 certificate, to the
multi-billion dollar multi-national with engineers
committed to dealing with just this issue - to detect
misissuance.</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
It gives the potential, yes. Pinning could do the same...<br>
<br>
<blockquote
cite="mid:CACvaWvbB8F+E8udg1DMdQDQEFfJ9uR13YyUPh6YVQ1QWBtbzyA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>I think you're pretty grossly understating the
benefit here.</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <br>
IMO pinning can achieve the same way cheaper (for me).
And again, if we could combine revocation for example,
the benefit would be much bigger and trade off the
expenses/efforts...</div>
</blockquote>
<div><br>
</div>
<div>Assume the cost of pinning is $100/year/site.</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
How did you arrive at that sum? Pinning shouldn't really cost
anything once the code is in the browsers. I also assume that code
changes for CT wouldn't be any cheaper than that.<br>
<br>
<blockquote
cite="mid:CACvaWvbB8F+E8udg1DMdQDQEFfJ9uR13YyUPh6YVQ1QWBtbzyA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div class="gmail_extra">
<div class="gmail_quote">
<div>Assume the cost of CT is $10,000/year/CA.</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
And you vastly underestimate that. My over-the-top calculation looks
fairly different - for a CA budgeting more tightly than others, this
could be a game changer.<br>
<br>
<br>
<div class="moz-signature">
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="2">Regards </td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>Signer: </td>
<td>Eddy Nigg, COO/CTO</td>
</tr>
<tr>
<td> </td>
<td><a href="http://www.startcom.org">StartCom Ltd.</a></td>
</tr>
<tr>
<td>XMPP: </td>
<td><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a></td>
</tr>
<tr>
<td>Blog: </td>
<td><a href="http://blog.startcom.org">Join the Revolution!</a></td>
</tr>
<tr>
<td>Twitter: </td>
<td><a href="http://twitter.com/eddy_nigg">Follow Me</a></td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
</tbody>
</table>
</div>
<br>
</body>
</html>