> -----Original Message----- > From: Chris Palmer [mailto:pal...@google.com] > Sent: Wednesday, October 24, 2012 5:57 PM > To: Rick Andrews > Cc: Ben Laurie; Phillip Hallam-Baker; therightkey@ietf.org; Paul > Hoffman > Subject: Re: [therightkey] Impact on issue processes > > On Wed, Oct 24, 2012 at 10:09 AM, Rick Andrews > <rick_andr...@symantec.com> wrote: > > > It's not a question of being unable to modify our software. As a > representative of Symantec, I will tell you that modifying our issuance > code will be a very tough sell, for a number of reasons: > > - There's no obvious direct return on investment > > - For some types of certificates, speed of issuance is very > important. Getting a CT proof will slow this down and cause it to fail > if the log server isn't up 100% of the time. > > - It makes sense to avoid relying on external parties to fulfill > part of our cert issuance process. At this point, it's unclear who > would even host a log service, what SLA they would provide, how much > attention they would pay to performance and availability, disaster > recovery, etc. > > - Symantec would not be interested in hosting a log service because > of unclear ROI. > > CT makes CAs less valuable targets. I'd call that ROI.
Ben, Chris, Protecting users is certainly a motivation and making our customers and their end users safer on the Internet is my main goal. I'm not opposed to CT because I don't want to protect users or CAs. I'm just not convinced it's the best solution. It's going to cost engineering time and money for CAs to implement CT. The bean counters and execs who control the purse strings are going to ask what they'll get for their $$$. They'll ask "so if I spend this money, we won't get hacked, right?" and I would have to say no, it's no guarantee that we wouldn't get hacked, but if we got hacked we would know about it. CT is *a* solution, but by no means the only possible solution. Is there another solution that might be less expensive and intrusive to implement? CAA might get us 80% of the way there for a fraction of the cost. DANE and cert pinning also help, and might be simpler to implement. -Rick _______________________________________________ therightkey mailing list therightkey@ietf.org https://www.ietf.org/mailman/listinfo/therightkey