On Thu, Aug 21, 2014 at 11:09 AM, Tao Effect <[email protected]> wrote:
> - CT cannot to deliver on its promise to document every certificate that is > issued. It makes it possible for malicious actors to issue fraudulent certs > and never actually log or report them. [2] [3] > - Certs must be purchased via yearly subscriptions, whereas with Namecoin / > DNSChain they are free. > - CT does not prevent MITM attacks, whereas DNSChain does. > - Whereas certificate revocation for compromised certificates is not an > issue in Namecoin / DNSChain, it is still an unsolved problem with CT. [4] http://www.certificate-transparency.org/how-ct-works """During the TLS handshake, the TLS client receives the SSL certificate and the certificate’s SCT. As usual, the TLS client validates the certificate and its signature chain. In addition, the TLS client validates the log’s signature on the SCT to verify that the SCT was issued by a valid log and that the SCT was actually issued for the certificate (and not some other certificate). If there are discrepancies, the TLS client may reject the certificate. For example, a TLS client would typically reject any certificate whose SCT timestamp is in the future.""" Thus, clients can (and should) reject any certificate not issued in public. Just wanted to clear that up. _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
