On 01.11.2015 10:25, Matt Caswell wrote: > CT is the answer to a big problem. I fail to see that CAs deploying CT > is a problem. I also don't see why only a CA can do this. There might be > some adversaries that are perfectly capable of building large databases > of certificates that they have "collected" from the internet. a computer tomograph as answer for a not really existing problem? and collecting SSL certificates is not a big thing; as long as the security problems aren't really solved, the privacy concerns don't exist; >>> You can't. >> really? try to find my S/MIME public key certificate ... >> your "update" shows only SSL certificates; and as a said, SSL >> certificates are not a problem ... > Sorry, I must have missed that point? Why do you believe SSL > certificates are not a problem? because this the request contains only contain the certificate serial number and not the certificate at all; what would you know, when sniffing a request of validating a certificate with serial 575775757 from CA x? in case you have a database, where you could lookup the serial in connection with the CA x, then you have some information that raise some little privacy concerns, but without ... having tracking pixels, strange scripts raise bigger problems: in security and privacy ... > But if so, I fail to see why the > existence of some certificates where the amount of information an > attacker could gain is smaller (but not nil) means that we should not > deploy OCSP over https for *all* certificates? of course, when deploying OCSP over TLS, this must be done for ALL certificates; but relaying on OCSP Stapling which itself is a security hole, is the wrong way; (I mentioned this problem earlier) when validating if it is save to connect to a host, the information must come from third party and not from the host itself (as OCSP Stapling is done) > I also very much hope that CAs will deploy CT for S/MIME too. only in hospitals ;-) always think of this: not the defect head light caused the accident, where the car slipped of the road ;-) in other words, always think of the real cause before; OCSP and CRL downloads are not the cause for privacy concerns, so there is no need of changing this; Greetings, Walter -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4312 bytes Desc: S/MIME Cryptographic Signature URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151101/f9c690ba/attachment-0001.bin>