[cabfpub] Improving the security of EV Certificates

Rick Andrews Rick_Andrews at symantec.com
Thu Dec 19 01:16:18 UTC 2013


I concede that CT and pinning don't accomplish the same thing. They can both detect if a certificate was mis-issued for an existing web site that the domain owner knows about (say, www.example.com), but pinning cannot detect that a certificate was mis-issued for a web site that the domain owner doesn't know about (say, myfakesite.example.com). This is a shortcoming of pinning that was not apparent to me until now.

It seems to me that the main point of disagreement between CT proponents and opponents is whether the added risk, costs and complexity of CT are small or large.

-Rick







More information about the Public mailing list