Static Certificate Transparency
7 days ago
- #Cloud Costs
- #Certificate Transparency
- #Security
- MerkleMap will not support the static Certificate Transparency API, viewing it as a regression for the CT ecosystem.
- Let's Encrypt's cost justification for abandoning RFC 6962 is questioned, with claims of 'approaching seven figures' being challenged as exaggerated.
- AWS's high costs, especially egress fees, are highlighted as a significant factor, with Let's Encrypt's sponsorship by AWS seen as a conflict of interest.
- MerkleMap operates a PostgreSQL database with full CT history since 2013 at a fraction of the cost claimed by Let's Encrypt.
- Static CT's limitations include inability to perform proof by hash and requiring clients to handle range queries manually.
- Security concerns with Sunlight implementation include predictable cryptographic keys, lack of permission checks, and weak authentication methods.
- MerkleMap criticizes the promotion of static CT through Chrome's market position, bypassing standard consensus-building processes.
- MerkleMap will not monitor logs using the Sunlight implementation due to security failures and poor handling of security disclosures.
- MerkleMap continues to support RFC 6962, advocating for evolutionary changes within the existing proven framework.