[cryptography] Certificate Transparency: working code

Nico Williams nico at cryptonector.com
Thu Mar 1 16:26:31 EST 2012


On Thu, Mar 1, 2012 at 3:14 PM, Thierry Moreau
<thierry.moreau at connotech.com> wrote:
> May I ask a (maybe stupid) question?
>
> "... audit proofs will be valid indefinitely ..."
>
> Then what remains of the scheme reputation once Mallory managed to inject a
> fraudulent certificate in whatever is being audited (It's called a "log" but
> I understand it as a grow-only repository)?

IIUC...

Someone (domain owners) has to audit the CAs by reviewing their audit
logs.  If enough domain owners do this then the remaining domain
owners' clients get protection by the deterrent effect of having CAs
be auditable and mostly-audited too -- something not too unlike herd
immunity.

Security with CT is asynchronous as far as the client is concerned,
but with some help from CAs this could be made as good as synchronous.
 The client synchronously gets a proof that the server cert has been
added to the log.  The client could even get synchronous confirmation
that the logs have been audited by the target server's owners up to a
given point in time -- hopefully very recently.  There will be some
latency from "a cert gets added to the log" to "that addition was
audited", but if auditable CAs commit to issuing certificates with
notBefore set in the future by enough time that most domain owners can
have audited the issuance and revoked it if necessary *before* the new
cert becomes valid, then the client gets as good as synchronous
protection.

I think the audit-by-domain-owners latency could be made as short as
seconds, but hours will do.

Nico
--



More information about the cryptography mailing list