From lists at internetpolicyagency.com  Mon Jul  1 10:51:32 2013
From: lists at internetpolicyagency.com (Roland Perry)
Date: Mon, 1 Jul 2013 10:51:32 +0100
Subject: Doormat argument about Voicemail dismissed by Court of Appeal
In-Reply-To: <51D05CBA.1080001@zen.co.uk>
References: <1C103425-09F3-47C4-9711-B685D998A634@batten.eu.org>
	<20130630134803.GK15311@snowy.squish.net>
	<CADWvR2gjL=et3_u1ZSWA31KAA-Xcn0ebO0QByjjX+UY6ct4sVg@mail.gmail.com>
	<51D05CBA.1080001@zen.co.uk>
Message-ID: <9Z2mkcUkEV0RFA58@perry.co.uk>

In article <51D05CBA.1080001 at zen.co.uk>, Peter Fairbrother 
<zenadsl6186 at zen.co.uk> writes
>BTW, some IPSs delete email when downloaded,

What, even if you tick "keep email on server" in your email client?

(aiui the syntax of a POP3 session is first of all to download what you 
want, and then delete what you don't want to keep on the server, so 
"keeping it on the server" is actually the simpler option.)

>some keep it available for a set period unless manually deleted - the 
>Court didn't seem to know that.

Some ISPs apparently delete the "kept" email after a set period 
(typically a month). This would be very high up on my list of reasons to 
avoid that ISP.

It's none of their business over-riding my decision to keep a copy. 
Unless it exceeds some sort of storage quota, but that should be 
measured in gigabytes these days.

-- 
Roland Perry


From igb at batten.eu.org  Mon Jul  1 12:34:37 2013
From: igb at batten.eu.org (Ian Batten)
Date: Mon, 1 Jul 2013 12:34:37 +0100
Subject: Doormat argument about Voicemail dismissed by Court of Appeal
In-Reply-To: <51D05CBA.1080001@zen.co.uk>
References: <1C103425-09F3-47C4-9711-B685D998A634@batten.eu.org>
	<20130630134803.GK15311@snowy.squish.net>
	<CADWvR2gjL=et3_u1ZSWA31KAA-Xcn0ebO0QByjjX+UY6ct4sVg@mail.gmail.com>
	<51D05CBA.1080001@zen.co.uk>
Message-ID: <1276F98B-AE2D-4B2A-8040-0F5470BA18A5@batten.eu.org>


On 30 Jun 2013, at 17:28, Peter Fairbrother <zenadsl6186 at zen.co.uk> wrote:
> 
> BTW, some IPSs delete email when downloaded,

What proportion of email users are still using POP3 and downloading a local copy?  Single figure percent, I would suspect, compared to the vast majority who are using webmail of some sort, and the geekerati who might be using IMAP4.  It implies a model of usage --- a single device with substantial local storage, talking to a remote server with limited storage --- which simply doesn't apply today.

ian



From Andrew.Cormack at ja.net  Mon Jul  1 13:20:10 2013
From: Andrew.Cormack at ja.net (Andrew Cormack)
Date: Mon, 1 Jul 2013 12:20:10 +0000
Subject: Doormat argument about Voicemail dismissed by Court of Appeal
In-Reply-To: <1276F98B-AE2D-4B2A-8040-0F5470BA18A5@batten.eu.org>
References: <1C103425-09F3-47C4-9711-B685D998A634@batten.eu.org>
	<20130630134803.GK15311@snowy.squish.net>
	<CADWvR2gjL=et3_u1ZSWA31KAA-Xcn0ebO0QByjjX+UY6ct4sVg@mail.gmail.com>
	<51D05CBA.1080001@zen.co.uk>
	<1276F98B-AE2D-4B2A-8040-0F5470BA18A5@batten.eu.org>
Message-ID: <61E52F3A5532BE43B0211254F13883AE97FFC723@EXC001>

> -----Original Message-----
> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
> bounces at chiark.greenend.org.uk] On Behalf Of Ian Batten
> Sent: 01 July 2013 12:35
> To: UK Cryptography Policy Discussion Group
> Subject: Re: Doormat argument about Voicemail dismissed by Court of
> Appeal
> 
> 
> On 30 Jun 2013, at 17:28, Peter Fairbrother <zenadsl6186 at zen.co.uk>
> wrote:
> >
> > BTW, some IPSs delete email when downloaded,
> 
> What proportion of email users are still using POP3 and downloading a
> local copy?  Single figure percent, I would suspect, compared to the
> vast majority who are using webmail of some sort, and the geekerati who
> might be using IMAP4.  It implies a model of usage --- a single device
> with substantial local storage, talking to a remote server with limited
> storage --- which simply doesn't apply today.
> 
> ian
> 

Looking at the quote para 22 of the judgment, it seems the original HC judge (or whoever was briefing him) is still using POP ;-)

http://www.bailii.org/ew/cases/EWCA/Crim/2013/1026.html

I reckon IMAP/webmail are much closer to the voicemail analogy/precedent

Andrew


From lists at internetpolicyagency.com  Mon Jul  1 14:13:22 2013
From: lists at internetpolicyagency.com (Roland Perry)
Date: Mon, 1 Jul 2013 14:13:22 +0100
Subject: Doormat argument about Voicemail dismissed by Court of Appeal
In-Reply-To: <1276F98B-AE2D-4B2A-8040-0F5470BA18A5@batten.eu.org>
References: <1C103425-09F3-47C4-9711-B685D998A634@batten.eu.org>
	<20130630134803.GK15311@snowy.squish.net>
	<CADWvR2gjL=et3_u1ZSWA31KAA-Xcn0ebO0QByjjX+UY6ct4sVg@mail.gmail.com>
	<51D05CBA.1080001@zen.co.uk>
	<1276F98B-AE2D-4B2A-8040-0F5470BA18A5@batten.eu.org>
Message-ID: <D5Tp8xjyBY0RFANh@perry.co.uk>

In article <1276F98B-AE2D-4B2A-8040-0F5470BA18A5 at batten.eu.org>, Ian 
Batten <igb at batten.eu.org> writes
>What proportion of email users are still using POP3 and downloading a local copy?  Single figure percent, I would suspect, compared to the vast
>majority who are using webmail of some sort, and the geekerati who might be using IMAP4.  It implies a model of usage --- a single device with
>substantial local storage, talking to a remote server with limited storage --- which simply doesn't apply today.

Isn't also more to do with "always on" connectivity. Using webmail 
without it, is frankly useless. And if travelling overseas, not only is 
bandwith harder to find, it's often very expensive.

I'm sticking with my Offline reader, thanks.
-- 
Roland Perry


From igb at batten.eu.org  Mon Jul  1 15:20:21 2013
From: igb at batten.eu.org (Ian Batten)
Date: Mon, 1 Jul 2013 15:20:21 +0100
Subject: Doormat argument about Voicemail dismissed by Court of Appeal
In-Reply-To: <D5Tp8xjyBY0RFANh@perry.co.uk>
References: <1C103425-09F3-47C4-9711-B685D998A634@batten.eu.org>
	<20130630134803.GK15311@snowy.squish.net>
	<CADWvR2gjL=et3_u1ZSWA31KAA-Xcn0ebO0QByjjX+UY6ct4sVg@mail.gmail.com>
	<51D05CBA.1080001@zen.co.uk>
	<1276F98B-AE2D-4B2A-8040-0F5470BA18A5@batten.eu.org>
	<D5Tp8xjyBY0RFANh@perry.co.uk>
Message-ID: <AA919AB3-A56E-40F1-A50A-B76B6F76F086@batten.eu.org>


On 1 Jul 2013, at 14:13, Roland Perry <lists at internetpolicyagency.com> wrote:

> In article <1276F98B-AE2D-4B2A-8040-0F5470BA18A5 at batten.eu.org>, Ian Batten <igb at batten.eu.org> writes
>> What proportion of email users are still using POP3 and downloading a local copy?  Single figure percent, I would suspect, compared to the vast
>> majority who are using webmail of some sort, and the geekerati who might be using IMAP4.  It implies a model of usage --- a single device with
>> substantial local storage, talking to a remote server with limited storage --- which simply doesn't apply today.
> 
> Isn't also more to do with "always on" connectivity. Using webmail without it, is frankly useless. And if travelling overseas, not only is bandwith harder to find, it's often very expensive.

Would it be risking offence to suggest that you (and, indeed, I) may not be the most typical of users?

Being able to read previously-read email whilst disconnected may be something that people don't think about, rather than don't need, but I gather that gmail has quite a few users these days.

ian



From zenadsl6186 at zen.co.uk  Mon Jul  1 18:39:53 2013
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Mon, 01 Jul 2013 18:39:53 +0100
Subject: Doormat argument about Voicemail dismissed by Court of Appeal
In-Reply-To: <1276F98B-AE2D-4B2A-8040-0F5470BA18A5@batten.eu.org>
References: <1C103425-09F3-47C4-9711-B685D998A634@batten.eu.org>
	<20130630134803.GK15311@snowy.squish.net>
	<CADWvR2gjL=et3_u1ZSWA31KAA-Xcn0ebO0QByjjX+UY6ct4sVg@mail.gmail.com>
	<51D05CBA.1080001@zen.co.uk>
	<1276F98B-AE2D-4B2A-8040-0F5470BA18A5@batten.eu.org>
Message-ID: <51D1BEE9.8070901@zen.co.uk>

On 01/07/13 12:34, Ian Batten wrote:
>
> On 30 Jun 2013, at 17:28, Peter Fairbrother<zenadsl6186 at zen.co.uk>  wrote:
>>
>> BTW, some IPSs delete email when downloaded,
>
> What proportion of email users are still using POP3 and downloading a local copy?  Single figure percent, I would suspect, compared to the vast majority who are using webmail of some sort, and the geekerati who might be using IMAP4.  It implies a model of usage --- a single device with substantial local storage, talking to a remote server with limited storage --- which simply doesn't apply today.


My ISP (Zen) certainly does it the POP3/delete way, I think perhaps for 
privacy reasons rather than for server space reasons.

I can use webmail as well/instead if I want; emails are not deleted y 
default from the server if I do, only when downloaded to my main 
machine's email program. This means my main machine has copies of all my 
emails, but I can still access email from a laptop or cafe if needed.

I think it is a good solution.




I also do not think that the proportion of users who exclusively use 
webmail and never download a local copy is considerably less than 90 
percent. Suppose someone sends you a family photo as an attachment? 
Local copies are much more convenient, indeed almost essential, then.


-- Peter Fairbrother


From zenadsl6186 at zen.co.uk  Mon Jul  1 18:49:06 2013
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Mon, 01 Jul 2013 18:49:06 +0100
Subject: Doormat argument about Voicemail dismissed by Court of Appeal
In-Reply-To: <AA919AB3-A56E-40F1-A50A-B76B6F76F086@batten.eu.org>
References: <1C103425-09F3-47C4-9711-B685D998A634@batten.eu.org>
	<20130630134803.GK15311@snowy.squish.net>
	<CADWvR2gjL=et3_u1ZSWA31KAA-Xcn0ebO0QByjjX+UY6ct4sVg@mail.gmail.com>
	<51D05CBA.1080001@zen.co.uk>
	<1276F98B-AE2D-4B2A-8040-0F5470BA18A5@batten.eu.org>
	<D5Tp8xjyBY0RFANh@perry.co.uk>
	<AA919AB3-A56E-40F1-A50A-B76B6F76F086@batten.eu.org>
Message-ID: <51D1C112.8030305@zen.co.uk>

On 01/07/13 15:20, Ian Batten wrote:
>
> On 1 Jul 2013, at 14:13, Roland Perry<lists at internetpolicyagency.com>  wrote:
>
>> In article<1276F98B-AE2D-4B2A-8040-0F5470BA18A5 at batten.eu.org>, Ian Batten<igb at batten.eu.org>  writes
>>> What proportion of email users are still using POP3 and downloading a local copy?  Single figure percent, I would suspect, compared to the vast
>>> majority who are using webmail of some sort, and the geekerati who might be using IMAP4.  It implies a model of usage --- a single device with
>>> substantial local storage, talking to a remote server with limited storage --- which simply doesn't apply today.
>>
>> Isn't also more to do with "always on" connectivity. Using webmail without it, is frankly useless. And if travelling overseas, not only is bandwith harder to find, it's often very expensive.
>
> Would it be risking offence to suggest that you (and, indeed, I) may not be the most typical of users?
>
> Being able to read previously-read email whilst disconnected may be something that people don't think about, rather than don't need, but I gather that gmail has quite a few users these days.

You can use POP3 with gmail if you want, though it isn't default. People 
frequently do.

You can also use IMAP if you want to sync a complete (ie including sent 
items, drafts etc) local copy of your email database with the server 
copy. Again people frequently do. I believe it just involves flicking a 
tab on the gmail page, and entering details in an email client.



-- Peter Fairbrother


From lists at internetpolicyagency.com  Mon Jul  1 20:28:10 2013
From: lists at internetpolicyagency.com (Roland Perry)
Date: Mon, 1 Jul 2013 20:28:10 +0100
Subject: Doormat argument about Voicemail dismissed by Court of Appeal
In-Reply-To: <AA919AB3-A56E-40F1-A50A-B76B6F76F086@batten.eu.org>
References: <1C103425-09F3-47C4-9711-B685D998A634@batten.eu.org>
	<20130630134803.GK15311@snowy.squish.net>
	<CADWvR2gjL=et3_u1ZSWA31KAA-Xcn0ebO0QByjjX+UY6ct4sVg@mail.gmail.com>
	<51D05CBA.1080001@zen.co.uk>
	<1276F98B-AE2D-4B2A-8040-0F5470BA18A5@batten.eu.org>
	<D5Tp8xjyBY0RFANh@perry.co.uk>
	<AA919AB3-A56E-40F1-A50A-B76B6F76F086@batten.eu.org>
Message-ID: <y0N1f2CKhd0RFAbO@perry.co.uk>

In article <AA919AB3-A56E-40F1-A50A-B76B6F76F086 at batten.eu.org>, Ian 
Batten <igb at batten.eu.org> writes
>> Isn't also more to do with "always on" connectivity. Using webmail without it, is frankly useless. And if travelling overseas, not only is
>>bandwith harder to find, it's often very expensive.
>
>Would it be risking offence to suggest that you (and, indeed, I) may not be the most typical of users?
>
>Being able to read previously-read email whilst disconnected may be something that people don't think about, rather than don't need, but I
>gather that gmail has quite a few users these days.

But I'm not reading previously-read email. I'm catching up on the email 
that arrived when I last had connectivity, before:

I boarded the aircraft
The train went into a tunnel
The conference centre wifi collapsed *again*
My $10 per hr of local hotspot prepay subscription expired
I left my hotel lobby (the only place with connectivity) for my room

etc.
-- 
Roland Perry


From laurence at iapetus.plus.com  Mon Jul  1 23:09:44 2013
From: laurence at iapetus.plus.com (Laurence Taylor)
Date: Mon, 1 Jul 2013 22:09:44 +0000 (GMT)
Subject: Doormat argument about Voicemail dismissed by Court of Appeal
Message-ID: <9343@iapetus.plus.com>

In message <1276F98B-AE2D-4B2A-8040-0F5470BA18A5 at batten.eu.org>
   Ian Batten writes:

> What proportion of email users are still using POP3 and downloading a 
> local copy?  Single figure percent, I would suspect, compared to the 
> vast majority who are using webmail of some sort, and the geekerati who 
> might be using IMAP4.  It implies a model of usage --- a single device 
> with substantial local storage, talking to a remote server with limited 
> storage --- which simply doesn't apply today.

It might not apply technologically, but it certainly works
practically.

I download all my email by POP3 and it sits on my Pc until I've
finished with it. I find webmail a pain; I have to put up with
whatever interface the company provide and options for copying,
saving, filing, etc. are limited. And it relies on being
connected.

IMAP is a but better, but still relies on a connection to the
other end which might have failed. A few months ago, my phone line
failed because the cable broke. I could still read the emails I
had downloaded and write replies to them!

rgds
LAurence
<><
... You wearing a toupe or is that a tribble on your head?
~~~ Tag-O-Matic V.13F 



From igb at batten.eu.org  Mon Jul  8 10:52:51 2013
From: igb at batten.eu.org (Ian Batten)
Date: Mon, 8 Jul 2013 10:52:51 +0100
Subject: BBC News - The 'cyber-attack' threat to London's Olympic ceremony
Message-ID: <4852589E-A45E-40B0-B32F-CB0806D8ADB4@batten.eu.org>


http://www.bbc.co.uk/news/uk-23195283

How seriously can we take all this sort of stuff?  It does seem remarkably convenient that, in the light of the PRISM (etc) revelations, GCHQ are suddenly purporting to open their files sufficiently to show us how it's a miracle that we aren't all strangled in our beds by cyber-criminals.  If CIN utility systems are connected to the Internet, then the solution is not massive security measures at a whole-country level, the solution is removing CIN from the Internet and properly policing the airgap.  Yes, that's not a 100% fix, as the broken bearings on some Iranian centrifuges will attest, and actually enforcing an airgap on geographically diverse equipment is a lot harder than it might at first sight appear.  And the level of evidence --- which appears, from the cited story, to be at the "some people who had neither the capability nor the expertise nor the knowledge said they thought it might be a good idea to..." --- doesn't convince me that these risks are sufficient to support the solutions being proposed.

So far, the only case of a serious cyber-attack on CIN we know of is the Iranian centrifuge case, in which (so far as we can tell) massive state-actor resources were deployed against a broadly unprepared target in order to stop the functioning of one precise piece of equipment.  Everything else is supposition and rumour.   Is our CIN really at risk from cyber-terrorism?  Where's the evidence?

ian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20130708/b4d464b5/attachment.html>

From pwt at iosis.co.uk  Mon Jul  8 11:59:36 2013
From: pwt at iosis.co.uk (Peter Tomlinson)
Date: Mon, 08 Jul 2013 11:59:36 +0100
Subject: BBC News - The 'cyber-attack' threat to London's Olympic ceremony
In-Reply-To: <4852589E-A45E-40B0-B32F-CB0806D8ADB4@batten.eu.org>
References: <4852589E-A45E-40B0-B32F-CB0806D8ADB4@batten.eu.org>
Message-ID: <51DA9B98.6010905@iosis.co.uk>

That reminded me of a 28th June article in the Newsletter from Pinsent 
Masons (Out-Law News):

http://www.out-law.com/en/articles/2013/june/always-on-culture-is-staggeringly-expensive-for-it-buyers-to-guarantee-says-expert/

Personally this is relevant in the context of smart media ticketing for 
public transport, where there is talk of moving to an 'always on-line' 
method instead of holding details in the card (or smartphone) and having 
a complex ticket machine on the vehicle, at the station, etc. The card 
will then just hold an ID token (so it could be a bank card).

Peter

On 08/07/2013 10:52, Ian Batten wrote:
>
> http://www.bbc.co.uk/news/uk-23195283
>
> How seriously can we take all this sort of stuff?  It does seem 
> remarkably convenient that, in the light of the PRISM (etc) 
> revelations, GCHQ are suddenly purporting to open their files 
> sufficiently to show us how it's a miracle that we aren't all 
> strangled in our beds by cyber-criminals.  If CIN utility systems are 
> connected to the Internet, then the solution is not massive security 
> measures at a whole-country level, the solution is removing CIN from 
> the Internet and properly policing the airgap.  Yes, that's not a 100% 
> fix, as the broken bearings on some Iranian centrifuges will attest, 
> and actually enforcing an airgap on geographically diverse equipment 
> is a lot harder than it might at first sight appear.  And the level of 
> evidence --- which appears, from the cited story, to be at the "some 
> people who had neither the capability nor the expertise nor the 
> knowledge said they thought it might be a good idea to..." --- doesn't 
> convince me that these risks are sufficient to support the solutions 
> being proposed.
>
> So far, the only case of a serious cyber-attack on CIN we know of is 
> the Iranian centrifuge case, in which (so far as we can tell) massive 
> state-actor resources were deployed against a broadly unprepared 
> target in order to stop the functioning of one precise piece of 
> equipment.  Everything else is supposition and rumour.   Is our CIN 
> really at risk from cyber-terrorism?  Where's the evidence?
>
> ian
>



From tonynaggs at gmail.com  Mon Jul 15 09:19:05 2013
From: tonynaggs at gmail.com (Tony Naggs)
Date: Mon, 15 Jul 2013 09:19:05 +0100
Subject: Travellers mobile phone data seized by police at border
Message-ID: <CAK0b=2fzCLuQ-XUA2mPWnipFt4B4oBpbtLzLkG8BnFgUjN7Juw@mail.gmail.com>

This story appeared on the Telegraph website yesterday -
http://www.telegraph.co.uk/technology/10177765/Travellers-mobile-phone-data-seized-by-police-at-border.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20130715/7e25982d/attachment.html>

From ben at links.org  Fri Jul 19 11:31:16 2013
From: ben at links.org (Ben Laurie)
Date: Fri, 19 Jul 2013 11:31:16 +0100
Subject: Certificate Transparency Hack Day
Message-ID: <CAG5KPzwnSFhwewJpP39mL=9xNGM0GCEeRFB1RFQK_hwJ1x-5fg@mail.gmail.com>

The Certificate Transparency team are considering hosting a hack day
at Google's London office during the week of Aug 27-30 (Mon Aug 26 is
a bank holiday). On the agenda would likely be:

* log dashboard and data visualization
* an appengine port of the dashboard
* browser plugins
* binary transparency
* DNSSEC transparency
* revocation transparency
* anything else people find interesting

If you'd be interested in attending such an event, please let Ben
Laurie (benl at google.com) know and indicate any preference for which
day.

Thanks!


From zenadsl6186 at zen.co.uk  Fri Jul 19 19:08:45 2013
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Fri, 19 Jul 2013 19:08:45 +0100
Subject: Certificate Transparency Hack Day
In-Reply-To: <CAG5KPzwnSFhwewJpP39mL=9xNGM0GCEeRFB1RFQK_hwJ1x-5fg@mail.gmail.com>
References: <CAG5KPzwnSFhwewJpP39mL=9xNGM0GCEeRFB1RFQK_hwJ1x-5fg@mail.gmail.com>
Message-ID: <51E980AD.8050502@zen.co.uk>

On 19/07/13 11:31, Ben Laurie wrote:
> The Certificate Transparency team

What exactly is Certificate Transparency? I'm thinking it has something 
to do with the little padlocks on browsers, but ..


are considering hosting a hack day
> at Google's London office during the week of Aug 27-30 (Mon Aug 26 is
> a bank holiday). On the agenda would likely be:
>
> * log dashboard and data visualization

What is "dashboard", and what data is to be visualised?

> * an appengine port of the dashboard


appengine? pulling your leg a bit, but is that sort-of Google-specific?


> * browser plugins
> * binary transparency

?? sounds interesting, but I don't have a clue what you mean here.

Thinking again about it, it sounds like insider gobbledegook ...


maybe it's - you insert code: the compiler delivers machine code: and 
you can check that they match because you can repeat the operation and 
get the same result - which doesn't happen with modern compilers

> * DNSSEC transparency


Nope, can't even guess what you mean here.


> * revocation transparency

or here - revocation? might work for a while, eg with bluray until about 
now when it gets broken, but ...


> * anything else people find interesting


I like balloons (and rockets)

-- Peter Fairbrother
>
> If you'd be interested in attending such an event, please let Ben
> Laurie (benl at google.com) know and indicate any preference for which
> day.
>
> Thanks!
>
>



From nbohm at ernest.net  Fri Jul 19 19:25:56 2013
From: nbohm at ernest.net (Nicholas Bohm)
Date: Fri, 19 Jul 2013 19:25:56 +0100
Subject: Certificate Transparency Hack Day
In-Reply-To: <51E980AD.8050502@zen.co.uk>
References: <CAG5KPzwnSFhwewJpP39mL=9xNGM0GCEeRFB1RFQK_hwJ1x-5fg@mail.gmail.com>
	<51E980AD.8050502@zen.co.uk>
Message-ID: <51E984B4.8010708@ernest.net>

On 19/07/2013 19:08, Peter Fairbrother wrote:
> On 19/07/13 11:31, Ben Laurie wrote:
>> The Certificate Transparency team
>
> What exactly is Certificate Transparency? I'm thinking it has
> something to do with the little padlocks on browsers, but ..

I didn't understand it either; but then I didn't expect to.

(I think it's to do with being able to tell whether the certificate used
by a site is the one you'd expect, so as to help detect MITM attacks.)

But I think it's clear you ought to go and find out (balloons or no
balloons), and maybe explain to us all.

Nick
-- 
Contact and PGP key here <http://www.ernest.net/contact/index.htm>


From ben at links.org  Sat Jul 20 10:08:56 2013
From: ben at links.org (Ben Laurie)
Date: Sat, 20 Jul 2013 10:08:56 +0100
Subject: Certificate Transparency Hack Day
In-Reply-To: <51E980AD.8050502@zen.co.uk>
References: <CAG5KPzwnSFhwewJpP39mL=9xNGM0GCEeRFB1RFQK_hwJ1x-5fg@mail.gmail.com>
	<51E980AD.8050502@zen.co.uk>
Message-ID: <CAG5KPzw3sCtfOwk2fAApZ1XG=ESpJXjaXGCyYCo5D2+zzXaU-Q@mail.gmail.com>

On 19 July 2013 19:08, Peter Fairbrother <zenadsl6186 at zen.co.uk> wrote:
> What exactly is Certificate Transparency?

Roughly: http://www.links.org/files/CertificateTransparencyVersion2.1a.pdf
Exactly: http://tools.ietf.org/html/rfc6962


From alec.muffett at gmail.com  Sat Jul 20 11:22:35 2013
From: alec.muffett at gmail.com (Alec Muffett)
Date: Sat, 20 Jul 2013 11:22:35 +0100
Subject: Certificate Transparency Hack Day
In-Reply-To: <CAG5KPzw3sCtfOwk2fAApZ1XG=ESpJXjaXGCyYCo5D2+zzXaU-Q@mail.gmail.com>
References: <CAG5KPzwnSFhwewJpP39mL=9xNGM0GCEeRFB1RFQK_hwJ1x-5fg@mail.gmail.com>
	<51E980AD.8050502@zen.co.uk>
	<CAG5KPzw3sCtfOwk2fAApZ1XG=ESpJXjaXGCyYCo5D2+zzXaU-Q@mail.gmail.com>
Message-ID: <CAFWeb9+q6fcU+J4ez9nj4ts=o+hED8KmtcVaJ9ZD_t8LrYO-_g@mail.gmail.com>

> Roughly: http://www.links.org/files/CertificateTransparencyVersion2.1a.pdf
> Exactly: http://tools.ietf.org/html/rfc6962
>

Briefly:

- All Certificate Authorities publish attestable lists of all certificates
they issue, so that fake certs may promptly be identified
- Any CA found to be knowingly/unknowingly generating fake certs can be
called-out, blackballed or somehow spanked


I think it's a great idea, I think we need it, I think it's an advancement
on where we are, and as Ben knows, I don't feel that it's a complete
solution in and of itself; it creates complexity and hierarchy which - if
implemented as described - would doubtless be beneficial, and adds all
manner of lovely proofs of naughtiness, but I am worried about the new
possibilities for Layer-8/9 problems, ie: Finance and Bureaucracy.

And I worry about use of words like "anticipate" and "clearly":

*The log promises to incorporate the certificate and chain within a certain
amount of time. Failure *
*to do so is considered a breach of contract by the log. This time is known
as the Maximum Merge *
*Delay (MMD). We anticipate the MMD being measured in hours. Clearly, the
MMD is the longest *
*possible time a rogue certificate can be used without detection.*

Yep. I love the idea. Do it. And then keep innovating and do more.

    - a <grump/>

-- 
http://dropsafe.crypticide.com/aboutalecm
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20130720/1ff4187a/attachment.html>