<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Dec 19, 2013 at 7:26 PM, <a href="mailto:kirk_hall@trendmicro.com">kirk_hall@trendmicro.com</a> <span dir="ltr"><<a href="mailto:kirk_hall@trendmicro.com" target="_blank">kirk_hall@trendmicro.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Ryan – on this one narrow point below – I would estimate that 99.9% of site owners / CA customers do not believe they are at any risk of false certificate issuance for their
domains and do now want or expect their issuing CAs to be (voluntarily and unasked) monitoring all the CT logs in the world for them. </span></p></div></div></blockquote><div><br></div><div>I merely suggested that this was a *possibility*, not that it would be required of any CA.</div>
<div><br></div><div>You were asking under what conditions would a CA be monitoring the CT log, and I tried to explain one such scenario.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Plus (based on an earlier hypothetical in an email), I expect some (many?) of our customers would be at least mildly offended if our company (who supplies them with certs
in North America, let’s say) suddenly emailed them with the message “Hey, we noticed some certs for your domains issued by some small CA in Europe – those must be fake, right?” and would see it as a pretty heavy handed marketing effort by us to capture 100%
of their SSL business.</span></p></div></div></blockquote><div><br></div><div>Perhaps. We're talking in hypotheticals here, and it's hard to say how a given CA might implement this. That said, if a customer has given strong signals to a CA (eg: via HPKP, CAA, or some opt-in), it would seem to be a real shame for that CA not to provide proactive security services to their customer. Given how many CAs are investing in providing just such services, it seems reasonable to suggest that at least some will adopt CT as an augmentation of providing their customers with an even higher level of security.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">I really don’t see that kind of CT log monitoring as a useful or welcome market service to most SSL customers, unless they specifically ask a CA to monitor all the CT logs
in the world for them and send them reports. I predict most customers won’t be very interested in this service (especially if there is a fee), but who knows?</span></p></div></div></blockquote><div><br></div><div>How it's implemented is certainly up to the CA, and it's reasonable to believe that some CAs will implement it in a customer-friendly manner, and some will implement it in a customer-hostile manner. That's just business as usual, and applies to any industry.</div>
<div><br></div><div>I would hope that, as CT is deployed, CAs would already be proactively monitoring the logs, such as to measure for their own misissuance (in a world where CT becomes mandatory for all certs, and not just EV certs). As Chris Palmer has suggested elsewhere, CT provides signals not just to the public, but to the CAs themselves. To also monitor such logs on their customers behalf, whether at explicit request or based upon some signals, seems to be a negligible cost, but that is of course up to the CAs to evaluate.</div>
<div><br></div><div>I'm merely explaining how, in a world with CT, there are many benefits to the many actors in the system, and a significant reduction in risk - for all parties.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> <a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a> [mailto:<a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Ryan Sleevi<br>
<b>Sent:</b> Thursday, December 19, 2013 8:17 PM<br>
<b>To:</b> Rick Andrews<br>
<b>Cc:</b> CABFPub<br>
<b>Subject:</b> Re: [cabfpub] Question on CT: Monitoring<u></u><u></u></span></p><div class="im">
<div>
<div>
<div>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"><span style="color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="color:#1f497d">“What is the reasoning behind the belief that most monitors will be operated by CAs?” My guess is that it’s because we have the relationship with the
customer.</span><u></u><u></u></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Exactly that. CAs are in the best position to know who their customers are, and already have channels with their customers. Whether or not a CA cares about protecting their users against misissuance is, of course, up to each individual
CA, but considering how much has been said about the need to "restore trust in the ecosystem" - much of which has been lost due to CA misissuance or misbehaviour - it seems very much in line with the business interests of CAs to offer this.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
</div></div>
</div>
<table><tbody><tr><td bgcolor="#ffffff"><font color="#000000"><pre><table><tbody><tr><td><pre>TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></tbody></table></pre></font></td></tr></tbody></table></blockquote></div><br></div></div>