<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
On 12/19/2013 01:29 AM, From Ryan Sleevi:
<blockquote
cite="mid:CACvaWvYi7xNCUCz5dEYFeoatY6b20YgYYXEViOhFjHSuBiehTA@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
<div class="gmail_extra">On Wed, Dec 18, 2013 at 3:23 PM, Eddy
Nigg (StartCom Ltd.) <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:eddy_nigg@startcom.org" target="_blank">eddy_nigg@startcom.org</a>></span>
wrote:<br>
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> But this is exactly
how Diginotar was detected however - basically a few
emails back I suggested that browser vendors nail the
most important sites in their browser as "pins" and
allow users to pin additional certificates to the
respective sites. It's a very simple and efficient way
to get some protection and allows detection for the most
important sites.<br>
</div>
</blockquote>
<div><br>
</div>
<div>So your idea is that every end-user is capable of
evaluating the security policy of the site, without input
of the site operator?</div>
</div>
</div>
</div>
</blockquote>
<br>
No, as not every user is capable or has the necessary
interest/knowledge/integrity to monitor and review a log containing
all issued certificates and to know what to do with this data. And I
made the other arguments already at the managements list I think.<br>
<br>
<blockquote
cite="mid:CACvaWvYi7xNCUCz5dEYFeoatY6b20YgYYXEViOhFjHSuBiehTA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div>And who do these users yell at when pins break?</div>
</div>
</div>
</div>
</blockquote>
<br>
There is most likely a reason if that happens, this way or the
other. A knowledgeable users will know the difference and the others
will not pin any certificates to start with.<br>
<br>
<blockquote
cite="mid:CACvaWvYi7xNCUCz5dEYFeoatY6b20YgYYXEViOhFjHSuBiehTA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div>The suggesting that pinning is between user+browser,
rather than site+browser, is certainly a far worse model,
utterly incomprehensible and providing no value to end
users.</div>
</div>
</div>
</div>
</blockquote>
<br>
I certainly works for me - it even worked for Google as far as I
understood.<br>
<br>
<blockquote
cite="mid:CACvaWvYi7xNCUCz5dEYFeoatY6b20YgYYXEViOhFjHSuBiehTA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div>Also, the idea that we should somehow balkanize the
Internet, and only the "very important ones" get security,
at the discretion of browsers, is a terrible one. </div>
</div>
</div>
</div>
</blockquote>
<br>
It's where the attacks probably happen first with the most value.<br>
<br>
<blockquote
cite="mid:CACvaWvYi7xNCUCz5dEYFeoatY6b20YgYYXEViOhFjHSuBiehTA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div>CT provides protection for every single user and site
operator on the Internet - surely you can agree that has
value?</div>
</div>
</div>
</div>
</blockquote>
<br>
That's a very worthy goal and I believe the vast majority get
reasonable protection in any case already today. Otherwise we can
stop using SSL if there is no value in the work CAs perform. Or
change the rules, but don't basically double the work with another
layer.<br>
<br>
<blockquote
cite="mid:CACvaWvYi7xNCUCz5dEYFeoatY6b20YgYYXEViOhFjHSuBiehTA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div>Regardless of the views of pinning, however, the
continued failures of the WebTrust and ETSI audit schemes
to "prevent" mis-issuance has demonstrated to root store
operators that it is no longer acceptable for continued
trust in CA operations. </div>
</div>
</div>
</div>
</blockquote>
<br>
Well, that's a very bleak interpretation - of course there were a
bunch of failures (making me real angry too), but nothing is 100%
ever. Not even CT will that be, trust me.<br>
<br>
<blockquote
cite="mid:CACvaWvYi7xNCUCz5dEYFeoatY6b20YgYYXEViOhFjHSuBiehTA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div>By requiring audits be transparent - which CT does - it
provides a much better trust signal to root stores and
their users that the participating CAs are deserving of
trust. </div>
</div>
</div>
</div>
</blockquote>
<br>
I have no problem with some transparency - I'd be willing to hand
over a list of all issued certificates to an agreed upon consortium
(how about Google, Netcraft, EFF and Qualsys) for review if that
would increase your trust of my work. However I'm not really
interested to carry the costs your proposal implies (at least as far
as I see it, with no real numbers yet) and our subscribers will be
probably very upset because they'll have to pay for it in the end.<br>
<br>
<blockquote
cite="mid:CACvaWvYi7xNCUCz5dEYFeoatY6b20YgYYXEViOhFjHSuBiehTA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div>A simple audit letter from an AICPA accountant or a
qualified auditor is no longer sufficient, as the
continued events demonstrate.</div>
</div>
</div>
</div>
</blockquote>
<br>
Can we skip auditing then if there is no value in that? Than
everybody can become a CA as long as the certs are in the CT log? <br>
<br>
<br>
<div class="moz-signature">
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="2">Regards </td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>Signer: </td>
<td>Eddy Nigg, COO/CTO</td>
</tr>
<tr>
<td> </td>
<td><a href="http://www.startcom.org">StartCom Ltd.</a></td>
</tr>
<tr>
<td>XMPP: </td>
<td><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a></td>
</tr>
<tr>
<td>Blog: </td>
<td><a href="http://blog.startcom.org">Join the Revolution!</a></td>
</tr>
<tr>
<td>Twitter: </td>
<td><a href="http://twitter.com/eddy_nigg">Follow Me</a></td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
</tbody>
</table>
</div>
<br>
</body>
</html>