Hi, >> Although, in the case you mention, that would not help all that much. >> Fortunately, the days of MD5 in X.509 are over. > > I imagine other algorithms will see a similar fate at some point.
Yes. SHA1 is next. There used to be some hesitation to switch to SHA1 due to, IIRC, concerns that older Windows versions wouldn't be able to make the switch. With Microsoft themselves announcing EOL for SHA1, that problem seems to be gone. >> But in fact, I've been thinking for a while that an additional >> monitoring infrastructure would be a nice-to-have thing in addition to >> CT --- and, FWIW, also TACK --- I view both drafts as naturally >> complementing each other. > > Yes, better monitoring tools would be very helpful. I also think that the possibilities of auditors and monitors are woefully underspecified. Of course, the draft cannot add too many distinct use cases. For the monitors, I think it might be nice to have, say, a BCP-like text that specifies how a CA or a larger company can monitor their domain names occur only in the correct certificates. Some kind of straight-forward set of instructions. Maybe extended with a few more algorithms to check logged certs for other things -- compliance with BR or EV comes to mind. As for auditors, I am wondering if anyone is working on a FF or Chrome add-on that tests consistency of a log. I appreciate it's not a prime priority. Ralph -- Ralph Holz I8 - Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ Phone +49.89.289.18043 PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
