+benlaurie ...in case he's interested in opining on this sort of thing
On Fri, Aug 22, 2014 at 4:23 PM, Chris Palmer <[email protected]> wrote: > On Thu, Aug 21, 2014 at 11:09 AM, Tao Effect <[email protected]> > wrote: > > > - CT cannot to deliver on its promise to document every certificate that > is > > issued. It makes it possible for malicious actors to issue fraudulent > certs > > and never actually log or report them. [2] [3] > > - Certs must be purchased via yearly subscriptions, whereas with > Namecoin / > > DNSChain they are free. > > - CT does not prevent MITM attacks, whereas DNSChain does. > > - Whereas certificate revocation for compromised certificates is not an > > issue in Namecoin / DNSChain, it is still an unsolved problem with CT. > [4] > > http://www.certificate-transparency.org/how-ct-works > > """During the TLS handshake, the TLS client receives the SSL > certificate and the certificate’s SCT. As usual, the TLS client > validates the certificate and its signature chain. In addition, the > TLS client validates the log’s signature on the SCT to verify that the > SCT was issued by a valid log and that the SCT was actually issued for > the certificate (and not some other certificate). If there are > discrepancies, the TLS client may reject the certificate. For example, > a TLS client would typically reject any certificate whose SCT > timestamp is in the future.""" > > Thus, clients can (and should) reject any certificate not issued in public. > > Just wanted to clear that up. > _______________________________________________ > Messaging mailing list > [email protected] > https://moderncrypto.org/mailman/listinfo/messaging > -- Tony Arcieri
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
