[Cryptography] [messaging] Gossip doesn't save Certificate Transparency

Bill Frantz frantz at pwpconsult.com
Mon Sep 29 02:37:49 EDT 2014 

On 9/28/14 at 5:30 AM, leichter at lrw.com (Jerry Leichter) wrote:

>The logical outcome of pinning is to get rid of the certs 
>entirely.  Your browser vendor provides you with a bucket of 
>public keys for well-known sites, and you just use them.  The 
>only thing the intermediate layer of CA certs provides in this 
>scenario is the ability for the site to issue new keys - but it 
>does so at the cost of requiring you to trust an extra party.  
>Proper rekeying mechanisms shouldn't need that.

If that "bucket of public keys" is a collection of signing key 
provided by each site for the "temporary" (1-12 month) keys they 
generate for themselves, you are still only trusting the site 
and the provider of the bucket. Trust can be improved by 
distributing hashes of the distributed keys via paper. For high 
security sites, my bank for example, I'll be happy to walk over 
to the branch and pick up the piece of paper.

>..

>PKI was introduced to the Web as a solution to a problem:  
>There were too many sites you might want to go to - many of 
>which you'd never been to before - for it to be practical for 
>you to have all the necessary keys up front. ...

I class sites into three security levels. (1) I don't care. The 
New York Times, the local caving club, etc. (2) I don't want my 
credit card hijacked. and (3) I don't want hackers at my 
financial accounts. Compromise of sites in class 1 can only 
confuse me. Compromise of sites in class 2 cost me a maximum of 
$50 and some embarrassment. Compromise of sites in class 3 can 
wipe me out financially.

There are very few sites in class 3. I am happy to check the 
fingerprints for those. Even if I don't, probably someone else 
will, protecting me and the rest of the herd.

It would be nice to have a mechanism to ensure that my copy of 
the bucket is the same as everyone else's.

Cheers - Bill

-----------------------------------------------------------------------
Bill Frantz        | Security is like Government  | Periwinkle
(408)356-8506      | services. The market doesn't | 16345 
Englewood Ave
www.pwpconsult.com | want to pay for them.        | Los Gatos, 
CA 95032

More information about the cryptography mailing list