Certificate Transparency Hack Day

Alec Muffett alec.muffett at gmail.com
Sat Jul 20 11:22:35 BST 2013

> Roughly: http://www.links.org/files/CertificateTransparencyVersion2.1a.pdf
> Exactly: http://tools.ietf.org/html/rfc6962


- All Certificate Authorities publish attestable lists of all certificates
they issue, so that fake certs may promptly be identified
- Any CA found to be knowingly/unknowingly generating fake certs can be
called-out, blackballed or somehow spanked

I think it's a great idea, I think we need it, I think it's an advancement
on where we are, and as Ben knows, I don't feel that it's a complete
solution in and of itself; it creates complexity and hierarchy which - if
implemented as described - would doubtless be beneficial, and adds all
manner of lovely proofs of naughtiness, but I am worried about the new
possibilities for Layer-8/9 problems, ie: Finance and Bureaucracy.

And I worry about use of words like "anticipate" and "clearly":

*The log promises to incorporate the certificate and chain within a certain
amount of time. Failure *
*to do so is considered a breach of contract by the log. This time is known
as the Maximum Merge *
*Delay (MMD). We anticipate the MMD being measured in hours. Clearly, the
MMD is the longest *
*possible time a rogue certificate can be used without detection.*

Yep. I love the idea. Do it. And then keep innovating and do more.

    - a <grump/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20130720/1ff4187a/attachment.html>

More information about the ukcrypto mailing list