Sorry for the long delay in responding to this--I needed to do some reading to figure out if I agreed with what you said.
The piece I was missing is that I didn't realize there was a process in place for requiring certificate transparency for any cert. The plan to require certificate transparency in Chrome for Extended Validation certs sounds like a good start on making this happen, and does to some extent address my concern, although ultimately CT has to be required by the browser for _all_ certs before it really mitigates the key pinning attack I described. But that's a path forward that I think is plausible. So from my perspective, if the security considerations talks about the hostile pinning attack and suggests mandatory CT as a future way of addressing the problem, that would satisfy my DISCUSS. I don't entirely agree with your observations about DNSSEC--I think I failed to effectively communicate the solution I was proposing, and so your response isn't actually addressing what I proposed. But I don't care as long as the problem is addressed, and I do agree that once certificate transparency is mandatory, that will in fact be a better mitigation strategy than the DNSSEC-based strategy I suggested. _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
