On 17 February 2013 00:24, Phillip Hallam-Baker <hallam(_at_)gmail(_dot_)com>
wrote:
On Sat, Feb 16, 2013 at 1:55 PM, Ben Laurie <benl(_at_)google(_dot_)com>
wrote:
On 16 February 2013 10:22, Phillip Hallam-Baker
<hallam(_at_)gmail(_dot_)com> wrote:
Sorry for the delay but I have been thinking of CT and in particular the
issues of
* Latency for the CA waiting for a notary server to respond
* Business models for notary servers
As a rule open source software works really well as the marginal cost of
production is zero. Open source services tend to sux because even though
the
marginal cost of a service is negligible, large numbers times negligible
adds up to big numbers. Running a DNS server for a university department
costs very little, running it for the whole university starts to cost
real
money and running a registry like .com with 99.9999% reliability ends up
with $100 million hardware costs.
So the idea that I plug my business into a network of notary servers
being
run by amateurs or as a community service is a non-starter for me. We
have
to align the responsibility for running any server that the CA has a
critical dependency on with a business model.
Note that we do not expect CAs to talk to _all_ log servers, only
those that are appropriately responsive - and also note that a CA can
fire off a dozen log requests in parallel and then just use the first
three that come back, which would deal with any temporary log issues.
We should probably add this ability to the open source stack at some
point.
Looking at the CT proposal, it seems to me that we could fix the
business
model issue and remove a lot of the CA operational issues as follows:
1) Each browser provider that is interested in enforcing a CT
requirement
stands up a meta-notary server.
2) Each CA runs their own notary server and this is the only resource
that
needs to have a check in at certificate issue.
Isn't this part the only part that's actually needed? The
meta-notaries seem like redundant extra complication (and also sound
like they fulfil essentially the same role as monitors).
I assume, btw, that by "notary server" you mean "log server"?
Also, if a CA only uses its own log, what happens when it screws up
and gets its log struck off the list of trusted logs? This is why we
recommend some redundancy in log signatures.
That is the reason for checkpointing against meta notaries.
Otherwise a CA might not actually release the logs.
An unreleased log is not compliant - and so would not be accepted by browsers.