On 14 March 2016 at 14:39, Stephen Kent <[email protected]> wrote: > The logged bogus certificate can be detected by a Monitor (third party or > self), that is watching the log(s) to which the certificate was posted. Thus > the detection aspect of CT still works with regard to this certificate. When > this certificate is detected, the CA that logged the certificate may revoke > it, i.e., place it on a CRL or create an OCSP response for it. However, a > browser checking a CRL or OCSP response will not match this revocation > status data against the other, not-logged bogus certificate. (This is > because revocation status checking is performed in the context of a > certificate path and the two bogus certificates have different certificate > paths.) Revoking a detected, bogus certificate may be the best strategy for > the malicious CAs. It makes issuance of the bogus certificate appear to be > an accident, and thus browser vendors may not feel the need to make an entry > on their blacklists for the bogus certificate or the CA that issued it.
I do not believe this is correct. And if it is, it is a serious bug in revocation that has nothing to do with certificate transparency. Also, I don't get the logic of the "not-logged bogus certificate", which is identical to the logged certificate - and is therefore logged. And not bogus. _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
