[cabfpub] [cabfman] Improving the security of EV Certificates

Jeremy Rowley jeremy.rowley at digicert.com
Wed Dec 18 21:53:30 UTC 2013

I think an important point is who should bear the cost of minimizing the impact of a CA compromise.  Even if CT is more expensive than pinning (which I doubt) and ignoring the fact that pinning and CT are NOT mutually exclusive, the cost for CT lies with the browsers and CAs  while the cost for pinning is with the browser and server operator.  Since the threat associated with a compromised or bad acting CA is directly related to our industry, the CA industry is best suited to bear the burden of fixing that problem, not the customers.  




From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi
Sent: Wednesday, December 18, 2013 2:44 PM
To: Eddy Nigg (StartCom Ltd.)
Cc: public at cabforum.org
Subject: Re: [cabfpub] [cabfman] Improving the security of EV Certificates




On Wed, Dec 18, 2013 at 1:39 PM, Eddy Nigg (StartCom Ltd.) <eddy_nigg at startcom.org> wrote:

On 12/18/2013 11:32 PM, From Ryan Sleevi: 


On Wed, Dec 18, 2013 at 1:23 PM, Eddy Nigg (StartCom Ltd.) <eddy_nigg at startcom.org> wrote:

On 12/18/2013 10:14 PM, From Ryan Sleevi: 

> How did you arrive at that sum? Pinning shouldn't really cost anything once the code is in the browsers. I also assume that code changes for CT wouldn't be any cheaper than that.

Pinning is NOT just a nob you turn. It carries huge operational risks to realize the preventative guarantees

Are we talking about the same thing here?




If you haven't followed the IETF discussions about pinning, I absolutely encourage you to do so. 


Sadly I don't have much time for IETF discussions, but...


I can understand the volume of mail can be quite a bit, but I think it would be very helpful for the discussions to get some familiarity with the spec and the attendant issues if you do want to suggest it as a viable alternative to CT.


The pinning draft itself is careful to spell out that there are non-trivial risks aplenty with pinning, BUT it can provide *preventative* mitigation.


WHAT? With pinning I understand to pin a particular certificate to a particular host name in the browser. Is this what you are talking about?


Yes. And it can be VERY risky, VERY hard to get right, and is a VERY costly mistake if you get wrong. That said, when the stars are aligned and the engineers are competant and the moon is shining upon you, it can actively prevent MITM, rather than just detect.


I'd be happy to discuss more with you, but pinning is absolutely something that even we at Google (proposers of it and authors of the current spec) are quick to point out is NOT a general solution for everyone and requires careful balance to choose whether the (risks of MITM) exceed (risks of bricking your entire site, with no one to dial up on a batphone to rescue you).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20131218/962dbdf1/attachment-0003.html>

More information about the Public mailing list