bascule at gmail.com
Fri Aug 22 16:26:55 PDT 2014
...in case he's interested in opining on this sort of thing
On Fri, Aug 22, 2014 at 4:23 PM, Chris Palmer <snackypants at gmail.com> wrote:
> On Thu, Aug 21, 2014 at 11:09 AM, Tao Effect <contact at taoeffect.com>
> > - CT cannot to deliver on its promise to document every certificate that
> > issued. It makes it possible for malicious actors to issue fraudulent
> > and never actually log or report them.  
> > - Certs must be purchased via yearly subscriptions, whereas with
> Namecoin /
> > DNSChain they are free.
> > - CT does not prevent MITM attacks, whereas DNSChain does.
> > - Whereas certificate revocation for compromised certificates is not an
> > issue in Namecoin / DNSChain, it is still an unsolved problem with CT.
> """During the TLS handshake, the TLS client receives the SSL
> certificate and the certificate’s SCT. As usual, the TLS client
> validates the certificate and its signature chain. In addition, the
> TLS client validates the log’s signature on the SCT to verify that the
> SCT was issued by a valid log and that the SCT was actually issued for
> the certificate (and not some other certificate). If there are
> discrepancies, the TLS client may reject the certificate. For example,
> a TLS client would typically reject any certificate whose SCT
> timestamp is in the future."""
> Thus, clients can (and should) reject any certificate not issued in public.
> Just wanted to clear that up.
> Messaging mailing list
> Messaging at moderncrypto.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Messaging