[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Lets Encrypt compared to self-signed certs

bancfc@xxxxxxxxxxxxxxx writes:

> Hi David. Thanks for chiming in. Please add a feature for pinning at
> the key level as IMO it provides the best protection.

We don't have any tools for pinning at all but you can read people's
tips about it on the Let's Encrypt community forum.

> Will the logs provide users/site owners with a way to independently
> check if coercion has happened?

The logs obviously don't have metadata about whether certificates are a
result of coercion, but if you are the site owner and you see a
certificate in the log that you didn't ask for, you have evidence that
there's been a problem, while if you are a user and you see a
certificate on the site that isn't in the log, you have evidence that
there's been a different kind of problem.

> Would systems like Cothority help Lets Encrypt users notice cert
> issuance inconsistencies even under compelled assistance? This
> project has the advantage of letting Tor clients spot anomalies in
> the Tor consensus documents should any of the DirAuths be
> compromised and it can be used for CAs too:
> https://github.com/dedis/cothority

I'll be happy to take a look at that.

Seth Schoen  <schoen@xxxxxxx>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to