On 17 February 2013 00:24, Phillip Hallam-Baker <hallam@xxxxxxxxx> wrote: > > > On Sat, Feb 16, 2013 at 1:55 PM, Ben Laurie <benl@xxxxxxxxxx> wrote: >> >> On 16 February 2013 10:22, Phillip Hallam-Baker <hallam@xxxxxxxxx> wrote: >> > Sorry for the delay but I have been thinking of CT and in particular the >> > issues of >> > >> > * Latency for the CA waiting for a notary server to respond >> > * Business models for notary servers >> > >> > As a rule open source software works really well as the marginal cost of >> > production is zero. Open source services tend to sux because even though >> > the >> > marginal cost of a service is negligible, large numbers times negligible >> > adds up to big numbers. Running a DNS server for a university department >> > costs very little, running it for the whole university starts to cost >> > real >> > money and running a registry like .com with 99.9999% reliability ends up >> > with $100 million hardware costs. >> > >> > So the idea that I plug my business into a network of notary servers >> > being >> > run by amateurs or as a community service is a non-starter for me. We >> > have >> > to align the responsibility for running any server that the CA has a >> > critical dependency on with a business model. >> >> Note that we do not expect CAs to talk to _all_ log servers, only >> those that are appropriately responsive - and also note that a CA can >> fire off a dozen log requests in parallel and then just use the first >> three that come back, which would deal with any temporary log issues. >> >> We should probably add this ability to the open source stack at some >> point. >> >> > Looking at the CT proposal, it seems to me that we could fix the >> > business >> > model issue and remove a lot of the CA operational issues as follows: >> > >> > 1) Each browser provider that is interested in enforcing a CT >> > requirement >> > stands up a meta-notary server. >> > >> > 2) Each CA runs their own notary server and this is the only resource >> > that >> > needs to have a check in at certificate issue. >> >> Isn't this part the only part that's actually needed? The >> meta-notaries seem like redundant extra complication (and also sound >> like they fulfil essentially the same role as monitors). >> >> I assume, btw, that by "notary server" you mean "log server"? >> >> Also, if a CA only uses its own log, what happens when it screws up >> and gets its log struck off the list of trusted logs? This is why we >> recommend some redundancy in log signatures. > > > That is the reason for checkpointing against meta notaries. > > Otherwise a CA might not actually release the logs. An unreleased log is not compliant - and so would not be accepted by browsers.