On 1/3/14, 12:37 PM, "Ralph Holz" <h...@net.in.tum.de> wrote:
>Hi, > >>> Alternatively, pull the root cert from which MD5 signatures were >>>issued. >>> As the MD5 attack still had considerable cost (for the hobby blackhat, >>> not a 3-letter agency), it was deemed that this must suffice for a >>>while. >> >> To make the discussion CT-compliant, having logs provide a list of >> algorithms that are used by each CA would be a nice feature to enable >> decisions like this. > >Although, in the case you mention, that would not help all that much. >Fortunately, the days of MD5 in X.509 are over. I imagine other algorithms will see a similar fate at some point. > >But in fact, I've been thinking for a while that an additional >monitoring infrastructure would be a nice-to-have thing in addition to >CT --- and, FWIW, also TACK --- I view both drafts as naturally >complementing each other. Yes, better monitoring tools would be very helpful. > >CT, for example, is not meant to address the issue of whether >certificates have been deployed correctly (e.g. correct host). I think >active scans are still worthwhile to collect such information. Identifying types of metrics that are useful to draw from a CT collections seems like a worthwhile exercise. Improved awareness of how a CA is used sits under many suggestions, such as yours above to remove root CAs that have used MD5. > >Ralph > >-- >Ralph Holz >I8 - Network Architectures and Services >Technische Universität München >http://www.net.in.tum.de/de/mitarbeiter/holz/ >Phone +49.89.289.18043 >PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF >_______________________________________________ >therightkey mailing list >therightkey@ietf.org >https://www.ietf.org/mailman/listinfo/therightkey _______________________________________________ therightkey mailing list therightkey@ietf.org https://www.ietf.org/mailman/listinfo/therightkey
