[cryptography] Updated Certificate Transparency site

Nico Williams nico at cryptonector.com
Thu Aug 1 17:04:27 EDT 2013


On Thu, Aug 1, 2013 at 12:57 PM, wasa bee <wasabee18 at gmail.com> wrote:
> in CT, how do you tell if a newly-generated cert is legitimate or not?
> Say, I am a state-sponsored attacker and can get a cert signed by my
> national CA for barclays. How do you tell this cert is not legitimate? It
> could have been barclays' IT admin who asked for a new cert.
> Do companies need to liaise with CT to tell them which certs are valid? Do
> they need to tell CT each time they change or get new certs?

CT allows the relying parties (e.g., TLS clients) only to verify that
the CA issued the cert in an auditable way.  Only the owners of
resources named by certs (or their agents) can meaningfully audit
certificate issuance.  If everyone does their part CT causes the risk
of dishonest CA behavior discovery to become to great for CAs to
engage in such behavior.

If you're in a position to know what CAs are allowed to issue certs
for a given name, then you can check for (audit) a) issuance of certs
for that name by unauthorized CAs, b) issuance of new certs by
authorized CAs but for unauthorized public keys.

Nico
--


More information about the cryptography mailing list