On Thu, Aug 1, 2013 at 12:57 PM, wasa bee <wasabe...@gmail.com> wrote: > in CT, how do you tell if a newly-generated cert is legitimate or not? > Say, I am a state-sponsored attacker and can get a cert signed by my > national CA for barclays. How do you tell this cert is not legitimate? It > could have been barclays' IT admin who asked for a new cert. > Do companies need to liaise with CT to tell them which certs are valid? Do > they need to tell CT each time they change or get new certs?
CT allows the relying parties (e.g., TLS clients) only to verify that the CA issued the cert in an auditable way. Only the owners of resources named by certs (or their agents) can meaningfully audit certificate issuance. If everyone does their part CT causes the risk of dishonest CA behavior discovery to become to great for CAs to engage in such behavior. If you're in a position to know what CAs are allowed to issue certs for a given name, then you can check for (audit) a) issuance of certs for that name by unauthorized CAs, b) issuance of new certs by authorized CAs but for unauthorized public keys. Nico -- _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
