<div dir="ltr">+benlaurie<div class="gmail_extra"><br></div><div class="gmail_extra">...in case he's interested in opining on this sort of thing<br><br><div class="gmail_quote">On Fri, Aug 22, 2014 at 4:23 PM, Chris Palmer <span dir="ltr"><<a href="mailto:snackypants@gmail.com" target="_blank">snackypants@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">On Thu, Aug 21, 2014 at 11:09 AM, Tao Effect <<a href="mailto:contact@taoeffect.com">contact@taoeffect.com</a>> wrote:<br>
<br>
> - CT cannot to deliver on its promise to document every certificate that is<br>
> issued. It makes it possible for malicious actors to issue fraudulent certs<br>
> and never actually log or report them. [2] [3]<br>
> - Certs must be purchased via yearly subscriptions, whereas with Namecoin /<br>
> DNSChain they are free.<br>
> - CT does not prevent MITM attacks, whereas DNSChain does.<br>
> - Whereas certificate revocation for compromised certificates is not an<br>
> issue in Namecoin / DNSChain, it is still an unsolved problem with CT. [4]<br>
<br>
</div><a href="http://www.certificate-transparency.org/how-ct-works" target="_blank">http://www.certificate-transparency.org/how-ct-works</a><br>
<br>
"""During the TLS handshake, the TLS client receives the SSL<br>
certificate and the certificate’s SCT. As usual, the TLS client<br>
validates the certificate and its signature chain. In addition, the<br>
TLS client validates the log’s signature on the SCT to verify that the<br>
SCT was issued by a valid log and that the SCT was actually issued for<br>
the certificate (and not some other certificate). If there are<br>
discrepancies, the TLS client may reject the certificate. For example,<br>
a TLS client would typically reject any certificate whose SCT<br>
timestamp is in the future."""<br>
<br>
Thus, clients can (and should) reject any certificate not issued in public.<br>
<br>
Just wanted to clear that up.<br>
<div class="HOEnZb"><div class="h5">_______________________________________________<br>
Messaging mailing list<br>
<a href="mailto:Messaging@moderncrypto.org">Messaging@moderncrypto.org</a><br>
<a href="https://moderncrypto.org/mailman/listinfo/messaging" target="_blank">https://moderncrypto.org/mailman/listinfo/messaging</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>Tony Arcieri<br>
</div></div>