On Oct 25, 2012, at 3:40 PM, Rick Andrews <[email protected]> wrote:
> Protecting users is certainly a motivation and making our customers and their > end users safer on the Internet is my main goal. I'm not opposed to CT > because I don't want to protect users or CAs. I'm just not convinced it's the > best solution. > > It's going to cost engineering time and money for CAs to implement CT. The > bean counters and execs who control the purse strings are going to ask what > they'll get for their $$$. They'll ask "so if I spend this money, we won't > get hacked, right?" and I would have to say no, it's no guarantee that we > wouldn't get hacked, but if we got hacked we would know about it. > > CT is *a* solution, but by no means the only possible solution. Is there > another solution that might be less expensive and intrusive to implement? CAA > might get us 80% of the way there for a fraction of the cost. DANE and cert > pinning also help, and might be simpler to implement. I'm pretty sure CAA is only about preventing good-conscious certificate issuance, not about preventing hacked, nor about knowing about it if you are. How do you see CAA getting you 80% of the way to the problem? I also don't see DANE or cert pinning as solutions to that problem either, so I guess I'm missing something in your analysis. --Paul Hoffman _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
