On Sep 27, 2014, at 2:03 PM, Love Hörnquist Åstrand <[email protected]> wrote:
> >>> - Auditor finds the fraudulent issued cert >> >> Exactly how will the Auditor do that? > > By looking at logs that the clients care about. Auditors do not look at the logs, Monitors do that. > You claim that there will be thousands of logs, I somewhat don't think so > since then there will be thousands of logs the ca will send the cert to be > issuing it, and that is not reasonable. > > So how do you keep the log honest and stop it from not adding the SCT to the > log ? > > Well, by using gossip about the logs. Sorry, don't quite understand what you're saying here... Both SCTs (legitimate and otherwise) will happily be accepted by any log. Gossip won't help clients detect fraudulent certs issued by rogue CAs (as explained in the "Threat model" thread). > You are claiming that PKIX and Internet roots are a hopeless endeavor, and I > somewhat agree, you seem to want us to switch to namecoin and forget about > Internet roots, and I see that as even more hopeless endeavor short term. Well, switch to a decent blockchain and using something like DNSChain to talk to it, yes. :) If Google wanted to make that a reality in the short term, they could. Kind regards, Greg Slepak -- Please do not email me anything that you are not comfortable also sharing with the NSA.
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
