Re: CA scope transparency (was Re: Name-constraining government CAs, or not)

2015-06-10 Thread Hubert Kario
On Tuesday 09 June 2015 11:57:40 Rick Andrews wrote: On Tuesday, June 9, 2015 at 3:05:30 AM UTC-7, Hubert Kario wrote: True, OTOH, if a third party says that there was a misissuance, that means there was one. I disagree. Only the domain owner knows for sure what is a misissuance, and what

Re: New certificate search tool - crt.sh

2015-06-10 Thread Hubert Kario
On Tuesday 09 June 2015 10:53:37 Rob Stradling wrote: On 08/06/15 15:09, Rob Stradling wrote: On 08/06/15 14:54, Hubert Kario wrote: On Wednesday 03 June 2015 09:43:23 Eric Mill wrote: This is outstanding - simple, but totally what people need to start getting the idea and benefit of

Re: CA scope transparency (was Re: Name-constraining government CAs, or not)

2015-06-10 Thread Matt Palmer
On Tue, Jun 09, 2015 at 12:00:23PM -0700, Rick Andrews wrote: On Tuesday, June 9, 2015 at 7:45:05 AM UTC-7, Kurt Roeckx wrote: On 2015-06-09 15:26, Peter Kurrasch wrote: 3) How frequently might such tools run? Or to put it differently, how much time do I probably have between when I

Re: CA scope transparency (was Re: Name-constraining government CAs, or not)

2015-06-10 Thread Matt Palmer
On Tue, Jun 09, 2015 at 08:26:55AM -0500, Peter Kurrasch wrote: 1) How to exclude domains from the search? For example I want to find gmail certs but exclude something like eggmail which could be a false positive. Constrain your search to domains which have a name part which is exactly

Re: CA scope transparency (was Re: Name-constraining government CAs, or not)

2015-06-10 Thread Rob Stradling
On 10/06/15 01:54, Matt Palmer wrote: On Tue, Jun 09, 2015 at 10:44:58AM +0100, Rob Stradling wrote: On 09/06/15 04:05, Clint Wilson wrote: To further support your claims here, Chris, there are already tools coming out which actively monitor domains in CT logs and can be set up with

Re: CA scope transparency (was Re: Name-constraining government CAs, or not)

2015-06-10 Thread Rick Andrews
I don't understand. The domain owner/admin is not a third party. -Rick On Jun 10, 2015, at 4:01 AM, Hubert Kario hka...@redhat.com wrote: On Tuesday 09 June 2015 11:57:40 Rick Andrews wrote: On Tuesday, June 9, 2015 at 3:05:30 AM UTC-7, Hubert Kario wrote: True, OTOH, if a third party

Re: New certificate search tool - crt.sh

2015-06-10 Thread Rob Stradling
On 03/06/15 16:46, Rob Stradling wrote: On 03/06/15 16:15, Richard Barnes wrote: snip David Keeler has done some work on visualizing certs that may be helpful. http://people.mozilla.org/~dkeeler/certsplainer/ https://github.com/mozkeeler/certsplainer I'll take a look. Thanks. Hi Richard.

Re: CA scope transparency (was Re: Name-constraining government CAs, or not)

2015-06-10 Thread Hubert Kario
On Wednesday 10 June 2015 07:28:06 Rick Andrews wrote: I don't understand. The domain owner/admin is not a third party. the third party in question was an entity running the CT service and since they can produce a certificate signed by a trusted CA as a proof of misissuance, the data itself