Dear Ben, On Sep 27, 2014, at 4:53 AM, Ben Laurie <[email protected]> wrote:
> I agree that CT doesn't mitigate mis-issuance for subjects that do not > participate. If by "participate" you mean owners who submit their certs to logs, CT doesn't detect mis-issuance even for those who do, as that email explained. > On monitors and guarantees - anyone can run a monitor, > including, of course, the subjects themselves, so clearly there's no > barrier to participation for subjects who want to participate. "No barrier"? Subjects (domain owners) would need to monitor *all* the logs out there. There will be like 1000+ logs out there. Each log will be how large (gigabytes?), and CT is not P2P, so Monitors must *poll* 1000+ logs constantly for updates, just for the purpose of detecting mis-issuance. On top of this, Section 4.6 of your RFC (bis-04) states that logs are not required to send monitors everything they ask for, making it unclear whether a log is misbehaving or not. This is not practical. ### But that is all besides the point. The point is that gossip doesn't detect mis-issuance, whether or not "subjects participate" in CT or not. Kind regards, Greg Slepak -- Please do not email me anything that you are not comfortable also sharing with the NSA.
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
