snackypants at gmail.com
Fri Aug 22 16:23:09 PDT 2014
On Thu, Aug 21, 2014 at 11:09 AM, Tao Effect <contact at taoeffect.com> wrote:
> - CT cannot to deliver on its promise to document every certificate that is
> issued. It makes it possible for malicious actors to issue fraudulent certs
> and never actually log or report them.  
> - Certs must be purchased via yearly subscriptions, whereas with Namecoin /
> DNSChain they are free.
> - CT does not prevent MITM attacks, whereas DNSChain does.
> - Whereas certificate revocation for compromised certificates is not an
> issue in Namecoin / DNSChain, it is still an unsolved problem with CT. 
"""During the TLS handshake, the TLS client receives the SSL
certificate and the certificate’s SCT. As usual, the TLS client
validates the certificate and its signature chain. In addition, the
TLS client validates the log’s signature on the SCT to verify that the
SCT was issued by a valid log and that the SCT was actually issued for
the certificate (and not some other certificate). If there are
discrepancies, the TLS client may reject the certificate. For example,
a TLS client would typically reject any certificate whose SCT
timestamp is in the future."""
Thus, clients can (and should) reject any certificate not issued in public.
Just wanted to clear that up.
More information about the Messaging