MozillaWiki

CA/CT Redaction: Difference between revisions

Page Discussion

CA/CT Redaction (view source)

Revision as of 11:51, 16 January 2018

201 bytes added ,  16 January 2018
→‎IoT Usage: "IoT usage" is not to support current IoT devices, but to have better ecosystem in the future.
(More equivocation on DNS reconnaissance)
(→‎IoT Usage: "IoT usage" is not to support current IoT devices, but to have better ecosystem in the future.)
Line 25: Line 25:
=== IoT Usage ===
=== IoT Usage ===


"Things" that connect to the internet (cars, baby monitors, etc.) will want to use publicly trusted certificates that work in common browsers and applications, but will not want the device identity number hierarchy publicly disclosed on CT logs for security purposes.  While private roots could be used, going that direction could prevent interoperability, and incompatibility with modern browser software could cause IoT device software to rely on custom software that doesn’t receive security updates (as browser software does) and lead to the same kind of frozen legacy root stores that can’t be updated that we saw during SHA-1 deprecation problems. For low-resource IoT devices (cameras, sensors, some car uses, etc.), DOS attacks are possible, and unredacted CT logs may help the DOS attacker.
"Things" that connect to the internet (cars, baby monitors, etc.) will want to use publicly trusted certificates that work in common browsers and applications, but will not want the device identity number hierarchy publicly disclosed on CT logs for security purposes.  While private roots could be used, going that direction could prevent interoperability, and incompatibility with modern browser software could cause IoT device software to rely on custom software that doesn’t receive security updates (as browser software does) and lead to the same kind of frozen legacy root stores that can’t be updated that we saw during SHA-1 deprecation problems. For low-resource IoT devices (cameras, sensors, some car uses, etc.), DOS attacks are possible, and unredacted CT logs may help the DOS attacker.
 
Besides, device manufacturers are carefully designing OTA (over the air) updates. If devices has OTA update function with sufficient crypto and security agility, they should able to use name-redaction.


===== Response =====
===== Response =====
Tadahiko
4

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1186835"