Dear Ralph, On Sep 28, 2014, at 5:17 AM, Ralph Holz <[email protected]> wrote:
> The latter factor gives huge leeway in the number of certs accepted by > browsers as root certs. But however you look at it, the number of such > certs will be comfortably below 1000 - anything from the 150+ root certs > in the Mozilla store up to a few hundred. Thanks for clarifying some of this! This is just Mozilla, however. Even if we go by your numbers, we still need to do a union on the certs accepted by other browsers, and other operating systems. Do you happen to have numbers for that too? > Just requiring, say, 3 SCTs in a handshake > would already result in considerable work for the attacker Yes, I think that would improve things. > (I know the current number is 2, though). The current number is 1 according to the most recent version of the RFC I could find (bis-04): https://raw.githubusercontent.com/google/certificate-transparency-rfcs/master/draft-ietf-trans-rfc6962-bis-04.txt > There is no need for clients to cooperate with 1000 logs. Well, if they want to know for certain that they weren't MITM'd, they're going to have to search up to a 1000 logs (or several hundred, whatever the number happens to be). Kind regards, Greg Slepak -- Please do not email me anything that you are not comfortable also sharing with the NSA.
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
