[cryptography] Auditable CAs

Ben Laurie ben at links.org
Wed Dec 7 06:00:38 EST 2011

On Tue, Dec 6, 2011 at 10:48 AM, Florian Weimer <fweimer at bfk.de> wrote:
> * Ben Laurie:
>> Given the recent discussion on Sovereign Keys I thought people might
>> be interested in a related, but less ambitious, idea Adam Langley and
>> I have been kicking around:
>> http://www.links.org/files/CertificateAuthorityTransparencyandAuditability.pdf.
> Why wouldn't the problem we have with CAs now resurface again with the
> entity which maintains the log?  And why is a new protocol needed?
> Couldn't you just treat certificates from existing browser CAs as
> signing requests for an uber-CA which issues traditional X.509
> certificates?

I don't know how to answer that without just regurgitating the
document again. You have read it, right?

> Viewed from another perspective, "The CA must publish a list of
> certificates it has issued" is a perfectly auditable requirement (in
> particular if you specify availability and format), so if this is what
> we want, browser vendors could just make it a requirement for being on
> the root list.  However, this seems rather unrealistic at this point.
> Therefore, I have written a proposal for TLS extension which adds some
> additional transparency regarding the certificates which are floating
> around, without mandatory publication by the CAs or a third party.

Our proposal does not require CAs or third parties to publish anything.

>  It
> relies on the phenomenon that nowadays, we have a fair number of mobile
> devices which migrate between networks with and without a clear path,
> and sufficient local storage capacity to keep track of the certificates
> they see.
> <http://tools.ietf.org/html/draft-weimer-tls-previous-certificate-00>
> I still think the concept is sound, and some discussion in this thread
> (on TLS-intercepting proxies) makes it clear why the complexity of
> sending the entire certificate chain is necessary.

Interesting proposal: two comments immediately spring to mind:

1. You probably need to allow for sending more than one certificate chain.

2. What about server farms that have a different cert per machine? Or CDNs?

More information about the cryptography mailing list