<div dir="ltr">Hi Kirk,<div><br></div><div>The numbers were hardly meant to be "representative". Pinning is far more expensive than $100, and I have no doubt that for some CAs, they may find their inability to change issuance pipeline, or to maintain a consistent view of it, may see their costs far exceed $10,000.</div>
<div><br></div><div>The purpose of these numbers, and breaking them down into smaller ones, was to show that the math of CT vs pinning is that CT, even if more expensive upfront for CAs, is a far greater cost savings because it affects *every single secure site operator*. The force multiplier of having valid detection mechanism available for every website, versus requiring the significant engineering and technical investment into pinning (as well as the unforeseen costs of getting pinning wrong) mean that in any world in which there are more than a dozen or so SSL sites, CT is a far cheaper option.</div>
<div><br></div><div>I don't mean to resurrect the "pinning as viable" thread - surely because it's not and they solve different issues - but the costs of pinning are directly born by the site operators, yet the risks are themselves introduced by the continued failures and misbehaviours of CAs. Surely that's putting the cost on the wrong actors - a cost that is still far, far greater than CT will be.<br>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Dec 18, 2013 at 8:07 PM, <a href="mailto:kirk_hall@trendmicro.com">kirk_hall@trendmicro.com</a> <span dir="ltr"><<a href="mailto:kirk_hall@trendmicro.com" target="_blank" class="cremed">kirk_hall@trendmicro.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Ryan – out of curiosity, how did you come up with an estimated cost on CAs of CT implementation of $10,000 per year per CA?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> <a href="mailto:public-bounces@cabforum.org" target="_blank" class="cremed">public-bounces@cabforum.org</a> [mailto:<a href="mailto:public-bounces@cabforum.org" target="_blank" class="cremed">public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Ryan Sleevi<br>
<b>Sent:</b> Wednesday, December 18, 2013 1:11 PM</span></p><div class="im"><br>
<b>To:</b> Eddy Nigg (StartCom Ltd.)<br>
</div><b>Cc:</b> CABFPub<br>
<b>Subject:</b> Re: [cabfpub] [cabfman] Improving the security of EV Certificates<u></u><u></u><p></p><div><div class="h5">
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">Hi Eddy,<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Thanks for allowing this to be posted to the public list. I've attempted to reply to your points below.<u></u><u></u></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><u></u> <u></u></p>
<div>
<p class="MsoNormal">On Wed, Dec 18, 2013 at 9:55 AM, Eddy Nigg (StartCom Ltd.) <<a href="mailto:eddy_nigg@startcom.org" target="_blank" class="cremed">eddy_nigg@startcom.org</a>> wrote:<u></u><u></u></p>
<div>
<p class="MsoNormal"><br>
On 12/18/2013 07:28 PM, From Jeremy Rowley: <u></u><u></u></p>
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Pinning is more risky for unsophisticated users who could brick their systems.
</span><u></u><u></u></p>
</div>
</blockquote>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<p class="MsoNormal">I don't think so....such users would never use it, the same way such users would never investigate a log or list of certificates. <u></u><u></u></p>
</div>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"><br>
<br>
<u></u><u></u></p>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Plus, pinning becomes a market divider so I’d worry about anti-trust violations if the recommendation
came from the CAB Forum. </span><u></u><u></u></p>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<p class="MsoNormal">How come, can you explain?<u></u><u></u></p>
</div>
</blockquote>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Much in the same way that some CAs object to CAA. Any notion of having the CA/Browser Forum encourage that users use technological means to say "I have relationships with these CAs, and I would prefer [other CAs] not issue" seems to scare
some members. I do not believe this is at all warranted, and is more likely a mischaracterization of the technology, but that's something to be deferred for your own legal counsel.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Both pinning and CAA are ways for customers to take control of the "Every CA is capable of issuing for every site" issue, which we see year after year, incident after incident to be the root cause of the continued erosion of trust in the
CA ecosystem.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"><br>
<br>
<br>
<u></u><u></u></p>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Transparency, in my view, is better because it requires a change only by the CAs and browsers, not
by the users. The information is then available for any researcher to digest and evaluate, not just the end user.
</span><u></u><u></u></p>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<p class="MsoNormal">It's mostly the competing CAs!!!, software vendors, Netcraft and friends, and some researchers that care about it (EFF, Qualsys and some others). It's the same crowd that would use pinning too.<u></u><u></u></p>
</div>
</blockquote>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">This is not true at all.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Auditors are not equivalent to site operators. Site operators carry great risk in pinning and getting it right - it certainly provides preventative benefits, but with an operational complexity cost. Further, organizations like EFF, Qualsys
and others cannot defer those costs on behalf of the site operator. It's a risk they bear on themselves.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Pinning offers the ability for anyone, without risk to their operational capability, to look to examine for misissuance - past or present. This presents zero risk for the site operator, at a cost born by the CA, whereas today's system of
global issuance capability with no auditing is a zero-cost-to-the-CA, with risk and cost born by every single site that would ever wish or does use SSL.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"><br>
<br>
<br>
<u></u><u></u></p>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">A headache is when another DigiNotar is compromised , issues a couple thousand certificates fraudulently,
and covers it up for several months. </span><u></u><u></u></p>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<p class="MsoNormal">Truly a problem, but may be attacked from a different angel (how about different approach to auditing?). I mean, we are doing our utmost to comply to all the various requirements and much more than that - a price we are willing to pay
because for this we are here. Now this proposal has a significant price tag for something that hasn't been tested and used over time with the "only" goal to detect the next DigiNotar.<u></u><u></u></p>
</div>
</blockquote>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Every single public CA security incident we have seen in the past 3 years would have been detected immediately from a system like CT. Trustwave, Diginotar, Turktrust, and most recently, ANSSI were all detected through luck and vigilance,
and only because they happened to affect a large site whose engineers are using every means capable to them to attempt to detect such mis-issuance.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">For all we know, there may be thousands of other misissuances from existing CAs - whether well-meaning or not - that have gone unnoticed, simply because they did not decide to affect one particular site. CT makes it possible for anyone
- from Joe Schmo on the street with his $10 certificate, to the multi-billion dollar multi-national with engineers committed to dealing with just this issue - to detect misissuance.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">I think you're pretty grossly understating the benefit here.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal"><br>
IMO pinning can achieve the same way cheaper (for me). And again, if we could combine revocation for example, the benefit would be much bigger and trade off the expenses/efforts...<u></u><u></u></p>
</div>
</blockquote>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Assume the cost of pinning is $100/year/site.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Assume the cost of CT is $10,000/year/CA.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">By any measure, CT has a far bigger benefit with far fewer expenses, efforts. And that's using a very generous understatement of pinning's costs (operationally), which is likely several orders of magnitude higher as the profile of the site
increases. And even if CT itself carries with it several orders of magnitude more cost, the math *still* works out, because there are *millions* of sites that use SSL, and *millions* more that should, and if your idea is pinning is right for everyone, then
you're asking inordinate amount of costs to be born for all users, many of which who may and are happy with "detection" over "prevention" for their risk/reward profile.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<br>
<u></u><u></u></p>
<div>
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td colspan="2" style="padding:0in 0in 0in 0in">
<p class="MsoNormal">Regards <u></u><u></u></p>
</td>
</tr>
<tr>
<td colspan="2" style="padding:0in 0in 0in 0in">
<p class="MsoNormal"> <u></u><u></u></p>
</td>
</tr>
<tr>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal">Signer: <u></u><u></u></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal">Eddy Nigg, COO/CTO<u></u><u></u></p>
</td>
</tr>
<tr>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal"> <u></u><u></u></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><a href="http://www.startcom.org" target="_blank" class="cremed">StartCom Ltd.</a><u></u><u></u></p>
</td>
</tr>
<tr>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal">XMPP: <u></u><u></u></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><a href="mailto:startcom@startcom.org" target="_blank" class="cremed">startcom@startcom.org</a><u></u><u></u></p>
</td>
</tr>
<tr>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal">Blog: <u></u><u></u></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><a href="http://blog.startcom.org" target="_blank" class="cremed">Join the Revolution!</a><u></u><u></u></p>
</td>
</tr>
<tr>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal">Twitter: <u></u><u></u></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><a href="http://twitter.com/eddy_nigg" target="_blank" class="cremed">Follow Me</a><u></u><u></u></p>
</td>
</tr>
<tr>
<td colspan="2" style="padding:0in 0in 0in 0in">
<p class="MsoNormal"> <u></u><u></u></p>
</td>
</tr>
</tbody>
</table>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Management mailing list<br>
<a href="mailto:Management@cabforum.org" target="_blank" class="cremed">Management@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/management" target="_blank" class="cremed">https://cabforum.org/mailman/listinfo/management</a><u></u><u></u></p>
</blockquote>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
</div>
</div></div></div>
</div>
<table><tbody><tr><td bgcolor="#ffffff"><font color="#000000"><pre><table><tbody><tr><td><pre>TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></tbody></table></pre></font></td></tr></tbody></table></blockquote></div><br></div></div></div>