> -----Original Message----- > From: Paul Hoffman [mailto:paul.hoff...@vpnc.org] > Sent: Thursday, October 25, 2012 4:18 PM > To: Rick Andrews > Cc: therightkey@ietf.org > Subject: Other solutions to the problem > > On Oct 25, 2012, at 3:40 PM, Rick Andrews <rick_andr...@symantec.com> > wrote: > > > Protecting users is certainly a motivation and making our customers > and their end users safer on the Internet is my main goal. I'm not > opposed to CT because I don't want to protect users or CAs. I'm just > not convinced it's the best solution. > > > > It's going to cost engineering time and money for CAs to implement > CT. The bean counters and execs who control the purse strings are going > to ask what they'll get for their $$$. They'll ask "so if I spend this > money, we won't get hacked, right?" and I would have to say no, it's no > guarantee that we wouldn't get hacked, but if we got hacked we would > know about it. > > > > CT is *a* solution, but by no means the only possible solution. Is > there another solution that might be less expensive and intrusive to > implement? CAA might get us 80% of the way there for a fraction of the > cost. DANE and cert pinning also help, and might be simpler to > implement. > > > I'm pretty sure CAA is only about preventing good-conscious certificate > issuance, not about preventing hacked, nor about knowing about it if > you are. How do you see CAA getting you 80% of the way to the problem? > > I also don't see DANE or cert pinning as solutions to that problem > either, so I guess I'm missing something in your analysis.
The problem is that any CA can issue a certificate for a given domain name and all browsers will trust it. CT allows Paypal (just an example) to detect that some unexpected CA issued a cert for one of their domains. If CAA is used by the CA being hacked, their system should refuse to issue the cert to Paypal's domain. DANE or cert pinning would allow a client to detect that the certificate issued by the CA being hacked is bogus. AFAICT, for CT to really work it will require participation from every CA whose roots are in browsers. I think you're underestimating how hard it will be to achieve that. Further, no one has yet brought up the privacy issue. CAs sell a lot of certificates to companies for their internal use. Some of them may object to publishing all their internal domain names. -Rick _______________________________________________ therightkey mailing list therightkey@ietf.org https://www.ietf.org/mailman/listinfo/therightkey
