[cabfpub] Question on CT: Monitoring

[Rob Stradling]

On 03/01/14 23:48, Eddy Nigg (StartCom Ltd.) wrote:
>
> On 01/03/2014 06:25 PM, From Rob Stradling:
>>
>>> - just
>>> see http://www.netcraft.com/internet-data-mining/ssl-survey/ as an
>>> example:
>>>
>>>     The distribution of key lengths, however, varies significantly
>>>     between different CAs. For example, in May 2013, StartCom had issued
>>>     no certificates with an RSA public key shorter than 2048-bits and
>>>     almost 20% are 4096-bits long, more than any other major CA.
>>
>> How does your customers' choice of key length reduce the chances of
>> StartCom misissuing certs in the future?
>
> A lot - first of all it's not always the choice of the subscribers, but
> it's an example of diligence by the CA.

Are you saying that you require a certain proportion of your subscribers 
to use 4096-bit keys?

The cut-off date for <2048-bit keys was a few days ago.  May 2013 was 
before the deadline, not after.

> And I can give you a couple of more such examples if you want, setting the
> bar clearly higher.

Please do.

> Even though nothing is perfect as mentioned earlier, one can at least
> strive for that....
>
>> Do you have a better idea (than CT) for solving the problem of
>> detecting misissuances?  If so, please write it up as an Internet Draft.
>
> I met recently with a representative of Google working on this project
> (am I allowed to publish that?) and I believe there is a way forward
> with CT. Slightly different than it started, but in my opinion better
> and the most sever problems affecting CAs in respect to the CT proposal
> can be apparently easily solved with achieving the same end-result which
> is the most important thing here. But I don't want to speak for them or
> put anything into their mouth.

I don't want you to speak for Google either.  I only asked you to speak 
for yourself.  ;-)

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online