Hi everyone, I've been thinking lately about the incentives that certificate logs have for operating, and would like to start a discussion centered around the costs and incentives for certificate log operators.
It seems to me that CT relies on the altruism of log operators. As far as I know, logs don't receive any sort of compensation for operating, and of the current known and included logs listed on the CT site [1], 4 are run by Google and 5 are run by CAs (Symantec, WoSign/StartSSL, and CNNIC) that had some sort of security incident in the past and had to implement CT as a result [2-4]. So besides the fact that CT will be required in October, what incentives are there to run a certificate log? Are there any plans to add incentives for logs to operate? Complementary to the above question is whether or not the incentives that log operators have outweigh the cost of running a log. I estimate that the storage cost of the certificate entries for the largest log (Google Pilot) is on the order of several hundred gigabytes, and that the cost of reliability, staff, etc. is quite expensive. But if there are any log operators who can comment more on this, that would be great. Moreover, as far as I know, CT also relies on the altruism of log monitors. Logs currently don't offer a way to retrieve entries by domain name, so it's difficult for a domain to query the logs for its own certificates (some of which may be rogue). Moreover, proving that a certificate is not in a log requires checking the entire tree. Therefore, CT needs monitors who periodically retrieve all newly-logged certificates and check for suspicious certificates, and it's not entirely clear how monitors decide whether a certificate is suspicious. What are the incentives for these monitors? Given that the number of logs is small and will probably be limited by Google (partially because monitoring becomes difficult otherwise), are there any plans to incentivize the "best" logs, i.e., those that keep the most certificates or have the highest uptime? Is incentivizing logs in this way something that we should do? I'd be very interested in getting feedback from everyone, particularly log operators and monitors, about this. -Steve [1] https://www.certificate-transparency.org/known-logs [2] https://security.googleblog.com/2015/03/maintaining-digital-certificate-security.html [3] https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html [4] https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
