[cabfpub] Question on CT: Monitoring
rob.stradling at comodo.com
Mon Jan 6 10:17:00 UTC 2014
On 03/01/14 23:48, Eddy Nigg (StartCom Ltd.) wrote:
> On 01/03/2014 06:25 PM, From Rob Stradling:
>>> - just
>>> see http://www.netcraft.com/internet-data-mining/ssl-survey/ as an
>>> The distribution of key lengths, however, varies significantly
>>> between different CAs. For example, in May 2013, StartCom had issued
>>> no certificates with an RSA public key shorter than 2048-bits and
>>> almost 20% are 4096-bits long, more than any other major CA.
>> How does your customers' choice of key length reduce the chances of
>> StartCom misissuing certs in the future?
> A lot - first of all it's not always the choice of the subscribers, but
> it's an example of diligence by the CA.
Are you saying that you require a certain proportion of your subscribers
to use 4096-bit keys?
The cut-off date for <2048-bit keys was a few days ago. May 2013 was
before the deadline, not after.
> And I can give you a couple of more such examples if you want, setting the
> bar clearly higher.
> Even though nothing is perfect as mentioned earlier, one can at least
> strive for that....
>> Do you have a better idea (than CT) for solving the problem of
>> detecting misissuances? If so, please write it up as an Internet Draft.
> I met recently with a representative of Google working on this project
> (am I allowed to publish that?) and I believe there is a way forward
> with CT. Slightly different than it started, but in my opinion better
> and the most sever problems affecting CAs in respect to the CT proposal
> can be apparently easily solved with achieving the same end-result which
> is the most important thing here. But I don't want to speak for them or
> put anything into their mouth.
I don't want you to speak for Google either. I only asked you to speak
for yourself. ;-)
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public