<div dir="ltr"><br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Roughly: <a href="http://www.links.org/files/CertificateTransparencyVersion2.1a.pdf" target="_blank">http://www.links.org/files/CertificateTransparencyVersion2.1a.pdf</a><br>
Exactly: <a href="http://tools.ietf.org/html/rfc6962" target="_blank">http://tools.ietf.org/html/rfc6962</a><br>
</blockquote></div><br>Briefly:</div><div class="gmail_extra"><br></div><div class="gmail_extra">- All Certificate Authorities publish attestable lists of all certificates they issue, so that fake certs may promptly be identified</div>
<div class="gmail_extra">- Any CA found to be knowingly/unknowingly generating fake certs can be called-out, blackballed or somehow spanked<br clear="all"><div><br></div><div><br></div><div>I think it's a great idea, I think we need it, I think it's an advancement on where we are, and as Ben knows, I don't feel that it's a complete solution in and of itself; it creates complexity and hierarchy which - if implemented as described - would doubtless be beneficial, and adds all manner of lovely proofs of naughtiness, but I am worried about the new possibilities for Layer-8/9 problems, ie: Finance and Bureaucracy.</div>
<div><br></div><div>And I worry about use of words like "anticipate" and "clearly":</div><div><br></div><div><div><i>The log promises to incorporate the certificate and chain within a certain amount of time. Failure </i></div>
<div><i>to do so is considered a breach of contract by the log. This time is known as the Maximum Merge </i></div><div><i>Delay (MMD). We anticipate the MMD being measured in hours. Clearly, the MMD is the longest </i></div>
<div><i>possible time a rogue certificate can be used without detection.</i></div></div><div><br></div><div>Yep. I love the idea. Do it. And then keep innovating and do more.</div><div><br></div><div> - a <grump/></div>
<div><br></div>-- <br><a href="http://dropsafe.crypticide.com/aboutalecm" target="_blank">http://dropsafe.crypticide.com/aboutalecm</a><br>
</div></div>