Delivery-Date: Mon, 29 Feb 2016 19:08:14 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 44CFD1E02C3;
	Mon, 29 Feb 2016 19:08:12 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id E525939EA3;
	Tue,  1 Mar 2016 00:08:06 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 1EBCD39878
 for <tor-talk@lists.torproject.org>; Tue,  1 Mar 2016 00:08:03 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 8QI8nwK-6Gel for <tor-talk@lists.torproject.org>;
 Tue,  1 Mar 2016 00:08:03 +0000 (UTC)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204])
 (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id F3E98397DA
 for <tor-talk@lists.torproject.org>; Tue,  1 Mar 2016 00:08:02 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org;
 s=mail2; 
 h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:To:From:Date;
 bh=vM2Q540JAucZiWRmyIoyTIbe6leIGZ4w9Ua1AfG73CA=; 
 b=yn5rxFWyNUdtwgqGCc47tQKq2HTZi2rc09TPBOvQKv2f0ef6mQSEP2hKEO1DbFFP4Yvz7XOvX/ZDmiIodl9FTvQnQgTpH78bmEEsWHFD3mIPZNZ8twwgU4x1BQ3wgyciPpf2XX/5Ey/06UWcCYeM4FPV6lgXuQJeyoMbp/r1zRk=;
Received: ; Mon, 29 Feb 2016 16:08:00 -0800
Date: Mon, 29 Feb 2016 16:08:00 -0800
From: Seth David Schoen <schoen@eff.org>
To: tor-talk@lists.torproject.org
Message-ID: <20160301000800.GY7036@mail2.eff.org>
References: <cb60695502b3655851993b7f79e1e816@openmailbox.org>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <cb60695502b3655851993b7f79e1e816@openmailbox.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [tor-talk] Lets Encrypt compared to self-signed certs
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

bancfc@openmailbox.org writes:

> Hi David. Thanks for chiming in. Please add a feature for pinning at
> the key level as IMO it provides the best protection.

We don't have any tools for pinning at all but you can read people's
tips about it on the Let's Encrypt community forum.

> Will the logs provide users/site owners with a way to independently
> check if coercion has happened?

The logs obviously don't have metadata about whether certificates are a
result of coercion, but if you are the site owner and you see a
certificate in the log that you didn't ask for, you have evidence that
there's been a problem, while if you are a user and you see a
certificate on the site that isn't in the log, you have evidence that
there's been a different kind of problem.

> Would systems like Cothority help Lets Encrypt users notice cert
> issuance inconsistencies even under compelled assistance? This
> project has the advantage of letting Tor clients spot anomalies in
> the Tor consensus documents should any of the DirAuths be
> compromised and it can be used for CAs too:
> 
> https://github.com/dedis/cothority

I'll be happy to take a look at that.

-- 
Seth Schoen  <schoen@eff.org>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

