Chris Palmer <[email protected]> writes: >On Saturday, September 27, 2014, Peter Gutmann <[email protected]> >wrote: >> That's always puzzled me about CT, who is going to monitor these logs, and >> why >> would they bother? This seems to be built from the same fallacy as "open- >> source code is more secure because lots of people will be auditing the code >> for security bugs". > >It's a simple matter of a shell script to scan logs for misissuance for names >you care about. Google certainly cares, EFF and other activist organizations, >PayPal, Facebook, ...
So in other words it'll help the organisations who are already more or less covered by certificate pinning (except that CT does it in a really roundabout, complex manner rather than directly at the source as pinning does). Looking at what CT gives you, there seem to be three scenarios to cover: 1. Cert issued for Google or Paypal. 2. Cert issued for First Bank of Podunk. 3. Cert issued for www.verify-chase-credit-card.com. Case #1 is already handled by pinning, and cases #2 and #3 won't be helped through CT. So CT will end up solving the browser PKI problem in the same way that SPF solved the spam problem. It is a lot of fun to theorise about and debate, as the ongoing discussions have more than proven, but it's not going to be a lot of use if the attackers don't even notice it's there. >But as Trevor says, we are off topic now... I think trying to determine whether a purported crypto solution to a problem will actually solve it is definitely on-topic, but just in case I've cross- posted to the cryptography list, and people can edit followups as required. Peter. _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
