[cryptography] The Trouble with Certificate Transparency

Greg greg at kinostudios.com
Sat Sep 27 14:03:16 EDT 2014


This is a reply to Ben Laurie's email on [messaging] because Trevor expressed concern that CT is off topic for that list. In respecting his wishes, I decided to reply to Ben's email here on randombit.

On Sep 27, 2014, at 4:38 AM, Ben Laurie <ben at links.org> wrote:

> b) If there's an advantage to downloading the whole log, a client is
> free to do so. You claim that there's an advantage to having history
> up to some point - I am just observing that CT allows the same thing,
> at similar cost.

But it is not a similar cost.

There is only one Namecoin blockchain to download, and with DNSChain, you don't need to download it to have instant and secure read/write access to it.

CT, on the other hand, has not one but over a thousand logs that must be checked to detect mis-issuance. There is are several orders of magnitude more data to download, and the means to download said data are unreliable and impractical [1].

[1] http://www.ietf.org/mail-archive/web/trans/current/msg00591.html

> Yeah, and we're not going to download "all the blockchain" either. But
> if we were prepared to do that, then we could also download the CT
> log.


So there are two mechanisms that would allow Chrome to have complete and secure access to all the relevant info in the blockchain without having to download it:

1. DNSChain (as mentioned above)
2. Ultimate blockchain compression (perhaps this would fancy you more, since it relies heavily on merkle trees?): https://github.com/maaku/bips/blob/master/drafts/auth-trie.mediawiki + https://bitcointalk.org/index.php?topic=88208.msg7423013#msg7423013

Kind regards,
Greg Slepak

--
Please do not email me anything that you are not comfortable also sharing with the NSA.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20140927/0f5b5b8e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20140927/0f5b5b8e/attachment.asc>


More information about the cryptography mailing list