[cabfpub] [cabfman] Improving the security of EV Certificates

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Wed Dec 18 19:52:45 UTC 2013

On 12/18/2013 08:11 PM, From Ryan Sleevi:
> Auditors are not equivalent to site operators. Site operators carry 
> great risk in pinning and getting it right

Site operators don't do pinning I guess...

> Pinning offers the ability for anyone, without risk to their 
> operational capability, to look to examine for misissuance - past or 
> present.

I think you meant something else here...

> Every single public CA security incident we have seen in the past 3 
> years would have been detected immediately from a system like CT.

Maybe...it's just another layer really.

> Trustwave, Diginotar, Turktrust, and most recently, ANSSI were all 
> detected through luck and vigilance, and only because they happened to 
> affect a large site whose engineers are using every means capable to 
> them to attempt to detect such mis-issuance.

I assume it was detected because said large site also produces a browser 
and used pinning to detect it.

> For all we know, there may be thousands of other misissuances from 
> existing CAs

Probably exaggerated, but there might be a couple more...

> CT makes it possible for anyone - from Joe Schmo on the street with 
> his $10 certificate, to the multi-billion dollar multi-national with 
> engineers committed to dealing with just this issue - to detect 
> misissuance.

It gives the potential, yes. Pinning could do the same...

> I think you're pretty grossly understating the benefit here.
>     IMO pinning can achieve the same way cheaper (for me). And again,
>     if we could combine revocation for example, the benefit would be
>     much bigger and trade off the expenses/efforts...
> Assume the cost of pinning is $100/year/site.

How did you arrive at that sum? Pinning shouldn't really cost anything 
once the code is in the browsers. I also assume that code changes for CT 
wouldn't be any cheaper than that.

> Assume the cost of CT is $10,000/year/CA.

And you vastly underestimate that. My over-the-top calculation looks 
fairly different - for a CA budgeting more tightly than others, this 
could be a game changer.

Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20131218/b9a7a146/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20131218/b9a7a146/attachment-0001.p7s>

More information about the Public mailing list