zBen,
On 14 March 2016 at 14:39, Stephen Kent<[email protected]> wrote:
The logged bogus certificate can be detected by a Monitor (third party or
self), that is watching the log(s) to which the certificate was posted. Thus
the detection aspect of CT still works with regard to this certificate. When
this certificate is detected, the CA that logged the certificate may revoke
it, i.e., place it on a CRL or create an OCSP response for it. However, a
browser checking a CRL or OCSP response will not match this revocation
status data against the other, not-logged bogus certificate. (This is
because revocation status checking is performed in the context of a
certificate path and the two bogus certificates have different certificate
paths.) Revoking a detected, bogus certificate may be the best strategy for
the malicious CAs. It makes issuance of the bogus certificate appear to be
an accident, and thus browser vendors may not feel the need to make an entry
on their blacklists for the bogus certificate or the CA that issued it.
I do not believe this is correct. And if it is, it is a serious bug in
revocation that has nothing to do with certificate transparency.
What do you believe is incorrect about my description of revocation
status checking?
A relying party validates a cert by walking down a cert pat from a trust
anchor to
a target cert. In DKG's example, the two CAs with the same name have
different
trust anchor parents, thus there are two distinct paths. A CRL (or OCSP
response)
issued by a CA on one path is totally independent from A CRL (or OSCSP
response)
issued by a CA on a distinct path.
Also, I don't get the logic of the "not-logged bogus certificate",
which is identical to the logged certificate - and is therefore
logged. And not bogus.
A cert is bogus when it is issued to an entity that is not authorized
to represent the Subject of the cert. This is true whether the cert is
logged or not.
Steve
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
