in CT, how do you tell if a newly-generated cert is legitimate or not? Say, I am a state-sponsored attacker and can get a cert signed by my national CA for barclays. How do you tell this cert is not legitimate? It could have been barclays' IT admin who asked for a new cert. Do companies need to liaise with CT to tell them which certs are valid? Do they need to tell CT each time they change or get new certs?
Sorry if this is basic CT knowledge... Thanks On Thu, Aug 1, 2013 at 12:06 PM, Ben Laurie <b...@links.org> wrote: > Since there was some puzzlement over CT, I thought it might be of > interest that we have revamped the site: > http://www.certificate-transparency.org/. > > Comments and questions welcome. > _______________________________________________ > cryptography mailing list > cryptography@randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography >
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
