Re: [therightkey] Barely-capable CAs

[Rick Andrews <Rick_Andrews@symantec.com>]

> -----Original Message-----
> From: therightkey-bounces@ietf.org [mailto:therightkey-
> bounces@ietf.org] On Behalf Of Paul Hoffman
> Sent: Thursday, November 01, 2012 8:15 AM
> To: therightkey@ietf.org
> Subject: [therightkey] Barely-capable CAs
> 
> On Nov 1, 2012, at 2:10 AM, Ben Laurie <benl@google.com> wrote:
> 
> > Its only software. The process of participating in CT for a server
> operator is:
> >
> > 1. Run command line tool once, giving it your certificate as input
> and
> > an SCT file as output.
> >
> > 2. Add one line of configuration to your server config.
> >
> > Not exactly rocket science. If people _really_ find it hard, we could
> > build it into the servers so there was no manual step at all.
> 
> As someone who has to trust every CA in the root pile in my browsers
> and OSs, I find it frightening that a CA who can say "this is your
> bank's certificate" cannot handle new requirements for how to say that.
> If adopting a simple protocol like this causes an ossified CA too many
> problems, maybe I don't trust that CA to be able to issue certificates
> for my bank, much less to be able to know which certificates that they
> are actually issuing.

Paul, I find your statements to be oversimplifications:

1) That the CT protocol is simple: I've been trying to make the point on this list that it may be conceptually simple but pretty difficult to implement to the scale that is required.

2) That CAs can't handle new requirements: I'm not convinced that CT is the silver bullet that some appear to claim it is. If you were referring to my statements on this list, please don't interpret my criticism as inability to handle new requirements. I think a debate on the merits is healthy.

-Rick