My point is that you cannot say CT "effectively destroys the attack value of mis-issuance" and then as justification say that you are assuming someone will notice. This is the gap I'm talking about: the space between when a mis-issuance takes place and when someone notices.
For the sake of argument let's suppose I generate a cert for "googlecares[dot]com" and it shows up in the CT logs. What happens next? What if I do "googlecares[dot]org" instead? Even if someone notices, what action will be taken? As a bad guy I'm going to do whatever I can get away with, so it seems I don't have to worry about CT because, as it turns out, I can get away with quite a lot. Original Message From: Chris Palmer Sent: Monday, June 8, 2015 1:38 PM On Fri, Jun 5, 2015 at 8:04 AM, Peter Kurrasch <fhw...@gmail.com> wrote: >> Certificate Transparency gets us what we want, I think. CT works >> globally, and is safer, and significantly changes the trust equation: >> >> * Reduces to marginal/effectively destroys the attack value of mis-issuance > > Please clarify this statement because, as written, this is plainly not true. > The only way to reduce the value is if someone detects the mis-issuance and > then takes action to resolve it. Yes, I am assuming that — it's the foundational and necessary assumption of any audit system. The Googles, Facebooks, PayPals, ... of the world care very much about mis-issuance for their domains. Activists and security experts and bloggers and reporters are always looking for fun stuff, and are generally capable of writing shell scripts. > From what I've seen so far, both are major gaps in CT as a security feature. What have you seen so far that leads you to believe that? Are there mis-issuances in the existing CT logs that nobody has called attention to...? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
