[cabfpub] Question on CT: Monitoring

Rob Stradling rob.stradling at comodo.com
Fri Jan 3 09:25:55 MST 2014 

On 21/12/13 18:32, Eddy Nigg (StartCom Ltd.) wrote:
> On 12/21/2013 12:24 AM, From Rob Stradling:
>> Indeed. However, apparently it took 9 days for them to discover the
>> breach.  CT would've hopefully helped them notice quicker (and it
>> certainly would've made a cover-up impossible!)
>
> Just to be clear - I'm absolutely not against the original idea and
> effort to find a solution to this problem if that is possible.

Great!

> And such a solution could come with different flavors - nobody forced the
> software vendors to accept every national/local/regional CA on a global
> basis for example.

How would restricting national/local/regional CAs do anything to solve 
the problem of detecting misissuances ?

> But as far as I see it, the CT proposal is that intrusive for us in so
> many aspects (infrastructure, business model, personnel and more) that
> I'm not sure if we are willing or can pay the price for it.

Can I urge you to at least sit down and read RFC6962?

> Specially when we have proven utmost diligence what our operation concerns

DigiNotar had audit reports proving their utmost diligence too. 
Everything seemed fine...

> - just
> see http://www.netcraft.com/internet-data-mining/ssl-survey/ as an example:
>
>     The distribution of key lengths, however, varies significantly
>     between different CAs. For example, in May 2013, StartCom had issued
>     no certificates with an RSA public key shorter than 2048-bits and
>     almost 20% are 4096-bits long, more than any other major CA.

How does your customers' choice of key length reduce the chances of 
StartCom misissuing certs in the future?

> Everything should remain reasonable however and I don't believe there is
> 100% security as mistakes can and will happen (not only with CAs, but
> the entire ecosystem including software).

Yes, and CA compromises can and will happen too.

> This is something we all clearly should keep in mind all the time (if you
> are looking for 100% stop using the Internet because it doesn't exist).

Agreed.

> There can be however 100% effort which we should expect from all certificate
> authorities or otherwise don't run one.

Agreed.

However, 100% effort won't prevent misissuances.  Therefore, we need to 
solve the problem of detecting misissuances.

Do you have a better idea (than CT) for solving the problem of detecting 
misissuances?  If so, please write it up as an Internet Draft.

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list