Incorrect: CT provides a globally verifiable audit trail - the exchange of money is irrelevant.
It is if Google CT only accepts submissions of CAs, and Chrome ships with the Google CT. It forces me to use CAs.
CT does not see the difference between you logging in to your registrar interface and updating the DS record, someone else using your credentials to do the same without your knowledge, or the registry going rogue. What it does it make all of these visible to you. Then it is up to you (or anyone else) to spot the abuse and do something about it.
Which is the exact problem of outsourcing trust vs trusting no one. People keep insisting they can do both. Adding another "cert patrol" warning box in my browser isn't going to make users more secure. So what happens if I update my TLS key? I need to live with a few hours of users getting told my site is hacked and clicking OK, or do we ignore the first few hours of a site being compromised? Paul _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
