[cryptography] The Trouble with Certificate Transparency

Nicolai nicolai-cryptography at chocolatine.org
Thu Sep 25 23:29:29 EDT 2014


On Wed, Sep 24, 2014 at 11:17:28AM -0700, Greg wrote:
> http://blog.okturtles.com/2014/09/the-trouble-with-certificate-transparency/

Hi Greg,

It seems to me that CT could benefit security only in a "trickle down"
sense: if a cert is improperly issued against a major domain like
google.com, that CA can be punished by Chromium/Chrome, with the logs
providing political/legal cover.  And maybe the benefit trickles down.

But what about normal people?  I have to check up to 1000 different logs
to see if I've been attacked?  And if I find out that's the case, would
people care about little old me enough to burn a CA such as Comodo?

It seems CT could potentially be of benefit to some large organizations
while having little to no impact on ordinary people like myself.  If
that's wrong I'd like to know how/why.

When LibreSSL has a non-preview release or two under its belt I'd like
to try DNSChain, but for now I'm unwilling to touch major TLS libraries.
DNSChain and MinimaLT seem like they could be a great match...

Nicolai


More information about the cryptography mailing list