[cryptography] Auditable CAs

Seth David Schoen schoen at eff.org
Wed Nov 30 14:37:36 EST 2011


ianG writes:

> 3.  the existance of a certificate in the log is acceptable proof of
> goodness for a browser.
> 
> Is that it, in minimalist form?
> 
> In analogous terms, is this like having the browser check EFF's
> repository for a second opinion?  Or, like OCSP but expanding the
> servers to cover all certs from all CAs, and test on the
> certificates not the serial numbers?

The browser still has to validate the certificate, so appearing
in the log doesn't directly prove that the certificate is valid.

The question that this system makes the browser answer before
accepting a cert is:

  Could the site operator know about the existence of this cert?

-- 
Seth Schoen  <schoen at eff.org>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
454 Shotwell Street, San Francisco, CA  94110   +1 415 436 9333 x107



More information about the cryptography mailing list