On 14/11/2016 21:37, Nick Lamb wrote:
On Monday, 14 November 2016 16:57:20 UTC, Jakob Bohm wrote:
If this is the only privacy mechanism in 6962bis, I would suggest that
everyone not employed by either Google or another mass-monitoring
service block its adoption on human rights grounds and on the basis of
being a mass-attack on network security.
Whereas I would say almost the precise opposite, the Web PKI is a _public_
resource, if you don't want your certificates to be examined by the _public_
then you are in the wrong place and need to look into a private CA. Redaction
has no place in public CT logs. If a private CA wants to operate redacted logs
in which everything is too murky to make any useful conclusions about anything
they're welcome to do just that.
Google and the "information wants to be free" crowd want everything
connected to the Internet to be declared public and everything to be
connected to the Internet.
Many others tend to disagree.
The HTTPS-everywhere tendency, including the plans of some people to
completely remove unencrypted HTTP from implementations, makes it
necessary for non-public stuff connected to the Internet to get
Internet-compatible TLS certificates. That happens to be the same as
the WebPKI, thus the need for an ability to get a WebPKI certificate
without announcing your address to every script-kiddie automated
mass-attack tool out there.
Even from this very limited perspective of protecting a subscriber from
themselves, redaction falls down badly as I explained in my posts when Chromium
mooted what redaction policies should be accepted earlier this year.
Chromium=Google=Peeping Tom.
The snooping argument amounts to very little. If you were paying attention to
CT logs when greatagain.gov was launched, or if you really stare hard at all
the new certificates logged for the .gov TLD you will have discovered what
Hillary's transition site would have been called. But amid a media saturated
with wall-to-wall with US election news, focusing on even the tiniest slivers
of new information, nobody even mentioned it. Not because the White House staff
have some elite redaction technology that allowed them keep it off the record
but because it's just not that interesting.
Maybe because that was just too insignificant to shout about, or maybe
because the political journalists are not up to speed on CT yet.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
