[Cryptography] The Trouble with Certificate Transparency
Salz, Rich
rsalz at akamai.com
Sun Sep 28 17:52:07 EDT 2014
Another interesting aspect of CT is that it significantly raises the cost of a CA to agree to an NSL. Imagine someone like Verisign is compelled to issue a bogus certificate, and that it is found out. Verisign is now stuck: either run the risk of violating the NSL and admitting what happened, or run the risk of having their CA removed from the browser's trust store, rendering ALL Verisign sites untrusted. In essence, the cost for compliance could be going out of business, which could be a pretty strong argument to make if appealing the order. If CT does nothing else but make secret orders much**2 more difficult that seems a good thing.
Recall that the original name for CT was sunlight, after all.
--
Principal Security Engineer, Akamai Technologies
IM: rsalz at jabber.me Twitter: RichSalz
More information about the cryptography
mailing list