[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Lets Encrypt compared to self-signed certs

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Lets Encrypt compared to self-signed certs
From: Seth David Schoen <schoen@xxxxxxx>
Date: Mon, 29 Feb 2016 16:08:00 -0800
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 29 Feb 2016 19:08:14 -0500
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:To:From:Date; bh=vM2Q540JAucZiWRmyIoyTIbe6leIGZ4w9Ua1AfG73CA=; b=yn5rxFWyNUdtwgqGCc47tQKq2HTZi2rc09TPBOvQKv2f0ef6mQSEP2hKEO1DbFFP4Yvz7XOvX/ZDmiIodl9FTvQnQgTpH78bmEEsWHFD3mIPZNZ8twwgU4x1BQ3wgyciPpf2XX/5Ey/06UWcCYeM4FPV6lgXuQJeyoMbp/r1zRk=;
In-reply-to: <cb60695502b3655851993b7f79e1e816@xxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <cb60695502b3655851993b7f79e1e816@xxxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.5.21 (2010-09-15)

bancfc@xxxxxxxxxxxxxxx writes:

> Hi David. Thanks for chiming in. Please add a feature for pinning at
> the key level as IMO it provides the best protection.

We don't have any tools for pinning at all but you can read people's
tips about it on the Let's Encrypt community forum.

> Will the logs provide users/site owners with a way to independently
> check if coercion has happened?

The logs obviously don't have metadata about whether certificates are a
result of coercion, but if you are the site owner and you see a
certificate in the log that you didn't ask for, you have evidence that
there's been a problem, while if you are a user and you see a
certificate on the site that isn't in the log, you have evidence that
there's been a different kind of problem.

> Would systems like Cothority help Lets Encrypt users notice cert
> issuance inconsistencies even under compelled assistance? This
> project has the advantage of letting Tor clients spot anomalies in
> the Tor consensus documents should any of the DirAuths be
> compromised and it can be used for CAs too:
> 
> https://github.com/dedis/cothority

I'll be happy to take a look at that.

-- 
Seth Schoen  <schoen@xxxxxxx>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- Re: [tor-talk] Lets Encrypt compared to self-signed certs
  - From: bancfc

Prev by Author: Re: [tor-talk] Lets Encrypt compared to self-signed certs
Next by Author: Re: [tor-talk] [tor-dev] Need to know if this is a bug
Previous by thread: Re: [tor-talk] Lets Encrypt compared to self-signed certs
Next by thread: Re: [tor-talk] Once again: Tor timing attacks and a Tor confession
Index(es):
- Author
- Thread