> > * There's currently no other service like crt.sh. It's essentially a > single point of failure of a lot of "WebPKI security stuff" people do. >
Not to detract from your point, but I'm happy to say there is a new kid in town: https://www.merklemap.com/ Imagining something like a more than 10x increase in cert volumes (which > would be the consequence of 6-day certs as the norm) probably means > many people will just stop utilizing CT to find security issues in the > WebPKI ecosystem. Add to that the fact that, depending on how fast the > Quantum Cryptopocalypse will materialize itself, we may also have to > increase the size per certificate quite substantially. > I think this should be considered when discussing very-short-lived > certs. > These are valid concerns. Let me add another: with static CT, running CT logs is easier, which will hopefully lead to more logs in the ecosystem. That will also lead to more logs that have to be followed. Sticking to long-lived certs doesn't solve our PQ problems with CT, and I don't think it's necessary to make CT PQ ready. Something will have to give though. In MTC [1] for instance we have 14 day certs, but make that manageable by reducing the size of each cert, and deduplicating certificates across logs by moving the logs to the CA. Best, Bas [1] https://davidben.github.io/merkle-tree-certs/draft-davidben-tls-merkle-tree-certs.html > > -- > Hanno Böck - Independent security researcher > https://itsec.hboeck.de/ > https://badkeys.info/ > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20241212133018.05ec7cae%40computer > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAMjbhoUB0k5kD82y9Tibtu0-RxGZbaadu-87y%3DHQ9CEh0rHaAw%40mail.gmail.com.
