On Thu, Mar 1, 2012 at 3:14 PM, Thierry Moreau <[email protected]> wrote: > May I ask a (maybe stupid) question? > > "... audit proofs will be valid indefinitely ..." > > Then what remains of the scheme reputation once Mallory managed to inject a > fraudulent certificate in whatever is being audited (It's called a "log" but > I understand it as a grow-only repository)?
IIUC... Someone (domain owners) has to audit the CAs by reviewing their audit logs. If enough domain owners do this then the remaining domain owners' clients get protection by the deterrent effect of having CAs be auditable and mostly-audited too -- something not too unlike herd immunity. Security with CT is asynchronous as far as the client is concerned, but with some help from CAs this could be made as good as synchronous. The client synchronously gets a proof that the server cert has been added to the log. The client could even get synchronous confirmation that the logs have been audited by the target server's owners up to a given point in time -- hopefully very recently. There will be some latency from "a cert gets added to the log" to "that addition was audited", but if auditable CAs commit to issuing certificates with notBefore set in the future by enough time that most domain owners can have audited the issuance and revoked it if necessary *before* the new cert becomes valid, then the client gets as good as synchronous protection. I think the audit-by-domain-owners latency could be made as short as seconds, but hours will do. Nico -- _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
