[cryptography] Auditable CAs

Tom Ritter tom at ritter.vg
Sun Nov 27 17:54:50 EST 2011


So my biggest question is what defines a "publically visible
certificate"?  Of course every certificate gmail uses would be
public... but what about the cert that corresponds to the new product
google is launching that's in beta for a few users?  That cert should
be published... but then that lets the cat out of the bag.  (Isn't
this almost the same problem DNSSEC has?)  I'm confused about whether
people opt-in, or opt-out, or opt-anything.

> Similarly it might be> possible to allow an intermediate CA to create
> private certificates within a subdomain - in this case> the intermediate CA certificate would have to be logged
> along with which domain it could create> subdomains in, so that mis-issues can still be detected.
> For example, an X.509 extension specifying> the permitted domains could be included in the certificate.

Wouldn't this be easier done with NameConstraints?

-tom



More information about the cryptography mailing list