[cabfpub] Question on CT: Monitoring

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Sat Dec 21 11:32:50 MST 2013 

On 12/21/2013 12:24 AM, From Rob Stradling:
> Indeed.  However, apparently it took 9 days for them to discover the 
> breach.  CT would've hopefully helped them notice quicker (and it 
> certainly would've made a cover-up impossible!)

Just to be clear - I'm absolutely not against the original idea and 
effort to find a solution to this problem if that is possible. And such 
a solution could come with different flavors - nobody forced the 
software vendors to accept every national/local/regional CA on a global 
basis for example.

But as far as I see it, the CT proposal is that intrusive for us in so 
many aspects (infrastructure, business model, personnel and more) that 
I'm not sure if we are willing or can pay the price for it. Specially 
when we have proven utmost diligence what our operation concerns - just 
see http://www.netcraft.com/internet-data-mining/ssl-survey/ as an example:

    The distribution of key lengths, however, varies significantly
    between different CAs. For example, in May 2013, StartCom had issued
    no certificates with an RSA public key shorter than 2048-bits and
    almost 20% are 4096-bits long, more than any other major CA.


Everything should remain reasonable however and I don't believe there is 
100% security as mistakes can and will happen (not only with CAs, but 
the entire ecosystem including software). This is something we all 
clearly should keep in mind all the time (if you are looking for 100% 
stop using the Internet because it doesn't exist). There can be however 
100% effort which we should expect from all certificate authorities or 
otherwise don't run one.


Regards
Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20131221/1df87c4b/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
Url : https://cabforum.org/pipermail/public/attachments/20131221/1df87c4b/attachment.bin

More information about the Public mailing list