I am coming to the conclusion that 'Why fix X when the attacker can do Y so lets not bother with X' is the worst form of security argument.
No security control is a magic bullet. Expecting the control that addresses X to also address Y is unreasonable. It is an excuse for inaction. CT is merely one component in the PKI/2 infrastructure. It is a measurement device so don't expect it to change anything on its own, that is not the purpose. Measurement is not a control system but accurate measurement is a requirement for a good control system. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
