On Sep 27, 2014, at 2:19 PM, Matt Palmer <[email protected]> wrote:
> On Sat, Sep 27, 2014 at 09:58:56AM -0700, Tao Effect wrote: >> "No barrier"? Subjects (domain owners) would need to monitor *all* the logs >> out there. >> >> There will be like 1000+ logs out there. > > "Citation needed", as the Wikipedeans say. I'm not sure how you could > possibly come to that conclusion. I am citing your own documentation: "we think “every major CA” is within limits of feasibility" http://www.certificate-transparency.org/faq And using Jacob's numbers from here: http://www.ietf.org/mail-archive/web/therightkey/current/msg00745.html > Please also see these estimates which are even higher: > > https://zakird.com/slides/durumeric-https-imc13.pdf > > "Identified 1,832 CA certificates belonging to 683 organizations" > "311 (45%) of the organizations were provided certificates by > German National Research and Education Network (DFN) " > > http://link.springer.com/chapter/10.1007%2F978-3-642-39884-1_28 > > "More than 1200 root and intermediate CAs can currently sign > certificates for any domain and be trusted by popular browsers." Now, should the number be less than 1000, it will still be in the hundreds, and that is still impractical for Monitors to provide any sort of a useful service to most website owners. Not to mention that it does nothing to help with gossiping clients, they will still be MITM attacked, and they will likely not notice it for the aforementioned reasons. Kind regards, Greg Slepak -- Please do not email me anything that you are not comfortable also sharing with the NSA. -- Please do not email me anything that you are not comfortable also sharing with the NSA.
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
