Re: [cryptography] Updated Certificate Transparency site
On Thu, Aug 01, 2013 at 05:32:55PM -0400, Jeffrey Walton wrote: On Thu, Aug 1, 2013 at 5:04 PM, Nico Williams n...@cryptonector.com wrote: On Thu, Aug 1, 2013 at 12:57 PM, wasa bee wasabe...@gmail.com wrote: ... If everyone does their part CT causes the risk of dishonest CA behavior discovery to become to great for CAs to engage in such behavior. Sorry to drift a bit, but how so? The best I can tell, there is little to no risk because browsers (and others in similar positions) often refuse to take action. As Trustwave and Mozilla, Microsoft, et al recently demonstrated, its just a dog and pony show. Jeff Eh, what did Mozilla do (or didn't do)? Which incident are you referring to? -- staticsafe O ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post. Please don't CC! I'm subscribed to whatever list I just posted on. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Updated Certificate Transparency site
On 1 August 2013 22:32, Jeffrey Walton noloa...@gmail.com wrote: On Thu, Aug 1, 2013 at 5:04 PM, Nico Williams n...@cryptonector.com wrote: On Thu, Aug 1, 2013 at 12:57 PM, wasa bee wasabe...@gmail.com wrote: ... If everyone does their part CT causes the risk of dishonest CA behavior discovery to become to great for CAs to engage in such behavior. Sorry to drift a bit, but how so? The best I can tell, there is little to no risk because browsers (and others in similar positions) often refuse to take action. As Trustwave and Mozilla, Microsoft, et al recently demonstrated, its just a dog and pony show. Action was taken. What do you mean? Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Updated Certificate Transparency site
On 01/08/13 22:04, Nico Williams wrote: If you're in a position to know what CAs are allowed to issue certs for a given name, then you can check for (audit) a) issuance of certs for that name by unauthorized CAs, b) issuance of new certs by authorized CAs but for unauthorized public keys. who's in charge of auditing the certs? the CT people or each domain's admin? will CT automatically alert (somehow) the admin when it detects a new cert for a domain? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Updated Certificate Transparency site
Since there was some puzzlement over CT, I thought it might be of interest that we have revamped the site: http://www.certificate-transparency.org/. Comments and questions welcome. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Updated Certificate Transparency site
in CT, how do you tell if a newly-generated cert is legitimate or not? Say, I am a state-sponsored attacker and can get a cert signed by my national CA for barclays. How do you tell this cert is not legitimate? It could have been barclays' IT admin who asked for a new cert. Do companies need to liaise with CT to tell them which certs are valid? Do they need to tell CT each time they change or get new certs? Sorry if this is basic CT knowledge... Thanks On Thu, Aug 1, 2013 at 12:06 PM, Ben Laurie b...@links.org wrote: Since there was some puzzlement over CT, I thought it might be of interest that we have revamped the site: http://www.certificate-transparency.org/. Comments and questions welcome. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Updated Certificate Transparency site
On Thu, Aug 1, 2013 at 12:57 PM, wasa bee wasabe...@gmail.com wrote: in CT, how do you tell if a newly-generated cert is legitimate or not? Say, I am a state-sponsored attacker and can get a cert signed by my national CA for barclays. How do you tell this cert is not legitimate? It could have been barclays' IT admin who asked for a new cert. Do companies need to liaise with CT to tell them which certs are valid? Do they need to tell CT each time they change or get new certs? CT allows the relying parties (e.g., TLS clients) only to verify that the CA issued the cert in an auditable way. Only the owners of resources named by certs (or their agents) can meaningfully audit certificate issuance. If everyone does their part CT causes the risk of dishonest CA behavior discovery to become to great for CAs to engage in such behavior. If you're in a position to know what CAs are allowed to issue certs for a given name, then you can check for (audit) a) issuance of certs for that name by unauthorized CAs, b) issuance of new certs by authorized CAs but for unauthorized public keys. Nico -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Updated Certificate Transparency site
On Thu, Aug 1, 2013 at 5:04 PM, Nico Williams n...@cryptonector.com wrote: On Thu, Aug 1, 2013 at 12:57 PM, wasa bee wasabe...@gmail.com wrote: ... If everyone does their part CT causes the risk of dishonest CA behavior discovery to become to great for CAs to engage in such behavior. Sorry to drift a bit, but how so? The best I can tell, there is little to no risk because browsers (and others in similar positions) often refuse to take action. As Trustwave and Mozilla, Microsoft, et al recently demonstrated, its just a dog and pony show. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography