[cabfpub] [cabfman] Improving the security of EV Certificates

Ryan Sleevi sleevi at google.com
Wed Dec 18 13:14:31 MST 2013


On Dec 18, 2013 11:53 AM, "Eddy Nigg (StartCom Ltd.)" <
eddy_nigg at startcom.org> wrote:
>
>
> On 12/18/2013 08:11 PM, From Ryan Sleevi:
>>
>>
>> Auditors are not equivalent to site operators. Site operators carry
great risk in pinning and getting it right
>
>
> Site operators don't do pinning I guess...
>
>
>>
>> Pinning offers the ability for anyone, without risk to their operational
capability, to look to examine for misissuance - past or present.
>
>
> I think you meant something else here...
>

Yes, sorry, CT offers far greater capabilities than pinning.

>
>>
>> Every single public CA security incident we have seen in the past 3
years would have been detected immediately from a system like CT.
>
>
> Maybe...it's just another layer really.
>
>> Trustwave, Diginotar, Turktrust, and most recently, ANSSI were all
detected through luck and vigilance, and only because they happened to
affect a large site whose engineers are using every means capable to them
to attempt to detect such mis-issuance.
>
>
> I assume it was detected because said large site also produces a browser
and used pinning to detect it.
>
>
>>
>> For all we know, there may be thousands of other misissuances from
existing CAs
>
>
> Probably exaggerated, but there might be a couple more...
>
>
>> CT makes it possible for anyone - from Joe Schmo on the street with his
$10 certificate, to the multi-billion dollar multi-national with engineers
committed to dealing with just this issue - to detect misissuance.
>
>
> It gives the potential, yes. Pinning could do the same...
>
>
>>
>> I think you're pretty grossly understating the benefit here.
>>
>>>
>>>
>>> IMO pinning can achieve the same way cheaper (for me). And again, if we
could combine revocation for example, the benefit would be much bigger and
trade off the expenses/efforts...
>>
>>
>> Assume the cost of pinning is $100/year/site.
>
>
> How did you arrive at that sum? Pinning shouldn't really cost anything
once the code is in the browsers. I also assume that code changes for CT
wouldn't be any cheaper than that.

Pinning is significantly more expensive. I dropped both estimates by
several powers. Yet it still remains that CT us cheaper by any math.

Pinning is NOT just a nob you turn. It carries huge operational risks to
realize the preventative guarantees - such risks that it is better suited
for the top 100,000 sites, if that.

You argue against CT because you're afraid, without evidence, that
customers of yours won't know the certs they have bought from you. When
that happens, they call you and you look into it. When it happens with
pinning, all their users break.

Site operators already complain, via proxy of CAs, that short cert
lifetimes increase their costs because of key management and operational
costs. Pinning is certainly not free - very much one of those costs - and
carries with it great risk of a single mistake. CT doesn't.

>
>
>> Assume the cost of CT is $10,000/year/CA.
>
>
> And you vastly underestimate that. My over-the-top calculation looks
fairly different - for a CA budgeting more tightly than others, this could
be a game changer.
>
>
>
> Regards
>
> Signer:
> Eddy Nigg, COO/CTO
>
> StartCom Ltd.
> XMPP:
> startcom at startcom.org
> Blog:
> Join the Revolution!
> Twitter:
> Follow Me
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20131218/35f738d4/attachment.html 


More information about the Public mailing list