[Cryptography] [messaging] Gossip doesn't save Certificate Transparency

Arnold Reinhold agr at me.com
Tue Oct 14 19:24:25 EDT 2014

On Mon, 13 Oct 2014 15:20 Jerry Leichter wrote:

>> * We can't even ship a complete list of revoked keys in our CRLSets,
>> for size reasons - forget about pins for all sites.
> Why?  I did the calculation in my original posting.  You can cover the top 100,000 sites in 30MB.  That's the size of a couple of image files used to make the browser demos look nice.
> Plus ... the *changes* to the list are very simple:  Just insertions and deletions, nothing fancy.  So distributing deltas is simple and very cheap.

I agree that the pin distribution problem seems quite solvable. But how do browser manufacturers get valid pin data for 100,000 sites, not to mention regular updates? If they want to get the information independently, they will have to set up the kind of rigorous verification infrastructure that we would want CAs to employ. (The fact that most CAs fall short does not suggest the problem is an easy one.) And if I trust my browser manufacturer’s signature on the browser software distribution that includes the initial pin list, as well as on subsequent pin updates, why not also trust the same signature key to sign individual web site credentials and use the existing TLS infrastructure, with the browser manufacturer serving as a super-CA for those 100,000 sites?

If the browser manufacturers choose instead to subcontract getting the pin data to one or a few high quality CAs, expect those CAs to charge a very steep price since it undermines their business model. The other CAs will no doubt raise a ruckus, perhaps invoking local antitrust laws. And if the browser manufacturers accept most CA data, what is the point? 

I’d still like QR codes in my bank’s lobby.

Arnold Reinhold

More information about the cryptography mailing list