[cabfpub] Question on CT: Monitoring

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Fri Jan 3 23:48:12 UTC 2014

On 01/03/2014 06:25 PM, From Rob Stradling:
>> - just
>> see http://www.netcraft.com/internet-data-mining/ssl-survey/ as an 
>> example:
>>     The distribution of key lengths, however, varies significantly
>>     between different CAs. For example, in May 2013, StartCom had issued
>>     no certificates with an RSA public key shorter than 2048-bits and
>>     almost 20% are 4096-bits long, more than any other major CA.
> How does your customers' choice of key length reduce the chances of 
> StartCom misissuing certs in the future?

A lot - first of all it's not always the choice of the subscribers, but 
it's an example of diligence by the CA. And I can give you a couple of 
more such examples if you want, setting the bar clearly higher.

Even though nothing is perfect as mentioned earlier, one can at least 
strive for that....

> Do you have a better idea (than CT) for solving the problem of 
> detecting misissuances?  If so, please write it up as an Internet Draft.

I met recently with a representative of Google working on this project 
(am I allowed to publish that?) and I believe there is a way forward 
with CT. Slightly different than it started, but in my opinion better 
and the most sever problems affecting CAs in respect to the CT proposal 
can be apparently easily solved with achieving the same end-result which 
is the most important thing here. But I don't want to speak for them or 
put anything into their mouth.

Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140104/dd0034f9/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6156 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140104/dd0034f9/attachment-0001.p7s>

More information about the Public mailing list