[matthew9219]

Web PKI so strong that we recommend not using it for critical scenarios.. /s

It's late and I maybe haven't been super constructive here, but I think when you try to write out the actual assumptions behind CT as the whole solution, you realize you've got something that mostly works assuming assuming assuming - and worse, we'll never do any better, because those assumptions are fundamental technical limits. DNSSec may be ugly but at least its problems (like validators failing open) are just deployment issues, not fundamental technical issues.

I'm sick and tired of using technologies that provide security or correctness subject to a long list of preconditions and ways for folks to tell me I'm using it wrong. To build secure systems, we need technology that provides correct security without so much asterisks and fine print.

[tptacek]

The whole premise of your argument about set-top boxes and CT was refuted, and you've used that as evidence that you were right all along.

[matthew9219]

Do you believe CT protects set-top boxes against surveillance from nation state actors who compromise your router? Yes or no, if you don't answer, you're not engaging in good faith.

[tptacek]

Nobody's ever going to continue discussing things with you when you end your comments with barbs like "if you don't answer, you're not engaging in good faith."