Hacker News new | past | comments | ask | show | jobs | submit login

CT requires all CAs to willingly participate. They are, obviously, less than willing:

https://groups.google.com/forum/#!msg/certificate-transparen...

(Symantec is VeriSign)

The efficacy of CT will largely hinge on whether Google can get CAs to participate. Even if they can, it'll be a long road (it already has been), and TACK is immediately deployable in the short term.




Is it necessary to get every cert? Getting the CAs to participate would be the best way, but it seems there are workarounds that will result in a large number of certs to be listed, though not all of them:

"Google is currently operating a Certificate Transparency log, and we are filling the log with certificates that we retrieve while crawling the web. We are also actively working on monitoring and auditing software."

http://www.certificate-transparency.org/faq


Something like pinning for S/MIME would be great, too…


It doesn't require all of them. They just need enough to reach a critical mass at which point they can start rejecting.

Also, a client can submit their cert to the log regardless of CA support. The only thing CA support is needed for is automated submissions.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: