On 07/11/16 17:25, Ryan Sleevi wrote: > Yes. An 'evil log' can provide a divided split-view, targeting only > an affected number of users. Unless that SCT was observed, and > reported (via Gossip or some other means of exfiltration), that split > view would not be detected.
So it is therefore important not just that the client which receives the SCT checks it against an STH it can observe, but that it is reported elsewhere for others to check? Or that a client has a method of fetching inclusion proofs that were "observed" from elsewhere? > So if I were wanting to run an evil log, which could hide misissued > certificates, I could sufficiently compel or coerce a quorum of > acceptable logs With "quorum" effectively being the smallest number of permitted SCTs, i.e. two. Presumably this is one reason some people are suggesting Mozilla's policy have a jurisdictional diversity requirement - to make such coercion harder. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
