On Tuesday 09 June 2015 10:44:58 Rob Stradling wrote: > On 09/06/15 04:05, Clint Wilson wrote: > > To further support your claims here, Chris, there are already tools coming > > out which actively monitor domains in CT logs and can be set up with > > notifications of misissuance: > > https://www.digicert.com/certificate-monitoring/ > > https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/EPv_u9 > > V06n0 > > > > This type of tool for CT is only going to improve with time. > > If you act as a CT monitor yourself, you can be sure that the logs > aren't misbehaving. But if you rely on a third party to monitor the > logs for you, you have to trust that third party.
True, OTOH, if a third party says that there was a misissuance, that means there was one. > Therefore, ISTM that some domain owners might want to be able to use the > services of multiple independent monitors simultaneously. > > So I'm wondering if the TRANS WG should think about standardizing a JSON > API for searching CT logs and for setting up notifications of > (mis-)issuance. The server side of this API could be implemented by > services such as https://crt.sh or even directly by the logs themselves. yes, definitely. Having a service like ssllabs.com inform the user if a given domain uses a public key used somewhere else, or that there are "n" other certificates for a given domain name would be definitely useful. Command line tools have exact same situation. Having a common API across multiple CT logs would definitely make the above more robust. > > On Monday, June 8, 2015 at 5:23:14 PM UTC-6, Chris Palmer wrote: > >>> For the sake of argument let's suppose I generate a cert for > >>> "googlecares[dot]com" and it shows up in the CT logs. What happens > >>> next?>> > >> A shell script notices this and pages the team responsible for > >> managing the company's online identities. Then, company > >> representatives have a phone call with the issuing CA. History shows > >> that various things may come from that, depending on the > >> circumstances. > > <snip> > > >> You seem to be assuming that web site operators can't write shell > >> scripts, and don't care about their public names and public keys, and > > <snip> > > BTW, you probably won't be surprised to hear that I've been trying to > think of reasons to create a shell script called "crt.sh". ;-) -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy