[cryptography] Auditable CAs

Ben Laurie ben at links.org
Sun Nov 27 18:09:25 EST 2011


On Sun, Nov 27, 2011 at 10:54 PM, Tom Ritter <tom at ritter.vg> wrote:
> So my biggest question is what defines a "publically visible
> certificate"?  Of course every certificate gmail uses would be
> public... but what about the cert that corresponds to the new product
> google is launching that's in beta for a few users?  That cert should
> be published... but then that lets the cat out of the bag.  (Isn't
> this almost the same problem DNSSEC has?)  I'm confused about whether
> people opt-in, or opt-out, or opt-anything.

Google has two options, I think.

1. Tell the few users to ignore the scary warning.

2. Ask the few users to configure a secret log that validates the beta cert.

>
>> Similarly it might be> possible to allow an intermediate CA to create
>> private certificates within a subdomain - in this case> the intermediate CA certificate would have to be logged
>> along with which domain it could create> subdomains in, so that mis-issues can still be detected.
>> For example, an X.509 extension specifying> the permitted domains could be included in the certificate.
>
> Wouldn't this be easier done with NameConstraints?
>
> -tom
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
>



More information about the cryptography mailing list