[cryptography] Why anon-DH is less damaging than current browser PKI (a rant in five paragraphs)

Ben Laurie ben at links.org
Mon Jan 7 14:08:45 EST 2013


On Mon, Jan 7, 2013 at 5:32 PM, Guido Witmond <guido at wtmnd.nl> wrote:
> What I read from the certificate-transparency.org website is that it intends
> to limit to Global CA certificates. I would urge mr Laurie and Google to
> include all certificates, including self-signed. It would increase the value
> of CT for me, especially in combination with DNSSEC/DANE

The problem with self-signed for CT is twofold:

1. spam.

2. revocation.

Given a solution to these I would happily include them in CT.

CT + DNSSEC/DANE + self-signed is a different matter, but one that
should probably address DNSSEC directly - that is, transparency for
DNSSEC keys, not for TLS certs mentioned in DANE records.



More information about the cryptography mailing list