> -----Original Message-----
> From: Chris Palmer [mailto:pal...@google.com]
> Sent: Wednesday, October 24, 2012 5:57 PM
> To: Rick Andrews
> Cc: Ben Laurie; Phillip Hallam-Baker; therightkey@ietf.org; Paul
> Hoffman
> Subject: Re: [therightkey] Impact on issue processes
> 
> On Wed, Oct 24, 2012 at 10:09 AM, Rick Andrews
> <rick_andr...@symantec.com> wrote:
> 
> > It's not a question of being unable to modify our software. As a
> representative of Symantec, I will tell you that modifying our issuance
> code will be a very tough sell, for a number of reasons:
> >  - There's no obvious direct return on investment
> >  - For some types of certificates, speed of issuance is very
> important. Getting a CT proof will slow this down and cause it to fail
> if the log server isn't up 100% of the time.
> >  - It makes sense to avoid relying on external parties to fulfill
> part of our cert issuance process. At this point, it's unclear who
> would even host a log service, what SLA they would provide, how much
> attention they would pay to performance and availability, disaster
> recovery, etc.
> >  - Symantec would not be interested in hosting a log service because
> of unclear ROI.
> 
> CT makes CAs less valuable targets. I'd call that ROI.

Ben, Chris,

Protecting users is certainly a motivation and making our customers and their 
end users safer on the Internet is my main goal. I'm not opposed to CT because 
I don't want to protect users or CAs. I'm just not convinced it's the best 
solution.

It's going to cost engineering time and money for CAs to implement CT. The bean 
counters and execs who control the purse strings are going to ask what they'll 
get for their $$$. They'll ask "so if I spend this money, we won't get hacked, 
right?" and I would have to say no, it's no guarantee that we wouldn't get 
hacked, but if we got hacked we would know about it.

CT is *a* solution, but by no means the only possible solution. Is there 
another solution that might be less expensive and intrusive to implement? CAA 
might get us 80% of the way there for a fraction of the cost. DANE and cert 
pinning also help, and might be simpler to implement. 

-Rick
_______________________________________________
therightkey mailing list
therightkey@ietf.org
https://www.ietf.org/mailman/listinfo/therightkey

Reply via email to