To further support your claims here, Chris, there are already tools coming out which actively monitor domains in CT logs and can be set up with notifications of misissuance: https://www.digicert.com/certificate-monitoring/ https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/EPv_u9V06n0
This type of tool for CT is only going to improve with time. On Monday, June 8, 2015 at 5:23:14 PM UTC-6, Chris Palmer wrote: > > For the sake of argument let's suppose I generate a cert for > > "googlecares[dot]com" and it shows up in the CT logs. What happens next? > > A shell script notices this and pages the team responsible for > managing the company's online identities. Then, company > representatives have a phone call with the issuing CA. History shows > that various things may come from that, depending on the > circumstances. > > https://en.wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulent_certificates > > > What if I do "googlecares[dot]org" instead? > > Probably something similar, because the company probably bought that > name and certs for it too. > > > Even if someone notices, what action will be taken? As a bad guy I'm going > > to do whatever I can get away with, so it seems I don't have to worry about > > CT because, as it turns out, I can get away with quite a lot. > > You seem to be assuming that web site operators can't write shell > scripts, and don't care about their public names and public keys, and > that mis-issuance has been consequence-free when detected in the past. > Those are strange assumptions, and history shows they don't always > hold. > > I'm done arguing this point, no doubt to everyone's relief. :) _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy