[cabfpub] Question on CT: Monitoring

Rob Stradling rob.stradling at comodo.com
Mon Jan 6 12:43:53 UTC 2014

On 06/01/14 10:56, Eddy Nigg (StartCom Ltd.) wrote:
> On 01/06/2014 12:17 PM, From Rob Stradling:
>> Are you saying that you require a certain proportion of your
>> subscribers to use 4096-bit keys?
> No, not yet - but we require minimum 2K keys....
>> The cut-off date for <2048-bit keys was a few days ago.  May 2013 was
>> before the deadline, not after.
> ...since 2008!

So what?  Were 1024-bit RSA keys considered insecure for authenticating 
servers back in 2008?

>>> And I can give you a couple of more such examples if you want,
>>> setting the bar clearly higher.
>> Please do.
> No internal host names and IP addresses.
> No long living certificates.
> Validation requirement for certain purposes (as in code signing).
> And more...

I don't think this makes StartCom any less likely than any other CA to 
make mistakes in the future, or to get hacked, or to be compelled by 
government to mis-issue, etc.

CT is needed, irrespective of each CAs' past performance.

(BTW, if you think that the BRs don't set the bar high enough, please 
propose changes to the BRs).

>> I don't want you to speak for Google either.  I only asked you to
>> speak for yourself.  ;-)
> That's what I do - CT is Google's project and if they have to say
> something they'll probably do that without hesitation :-)

Sure, but I asked "Do you have a better idea (than CT) for solving the 
problem of detecting misissuances?"

I conclude that you don't.

I hope that you will embrace CT.  :-)

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list