Andrew,
...
Yes, a Monitor serving www1 would think the log entry was OK,
even though it also would match www2. But, this requires that www2
has the same key as www1. If there was a compromise of www1, then
I agree that a Monitor would not detect the compromise, but a
Monitor isn't really intended to do that.
Alternatively, www1 could be operated by a third party who holds the
private key (not an uncommon scenario). I think a Monitor should be
expected to detect an attempt by that third-party to misuse their key to
impersonate www2.
I agree that the purpose of a Monitor is to detect cert mis-issuance and
having www2 be able to use the same SCT as www1 is an example of such.
If the private key for www1 is held by another party because that party
is running the web site on behalf of the entity responsible for www1,
then www1 already has a serious vulnerability. Is there some other case
where you envision www1 will grant a 3rd party access to its private key?
If this represents collusion
between www1 and www2 then this is good example of how colluding
Subjects could use an SCT issued for one Subject with a cert for
another Subject, because of the properties of redacted certs. Got it.
It doesn't require collusion between the subjects. Rather, one subject
colludes with the CA to attack the other subject.
Yes, because name-redaction requires a pre-cert, and only a CA can
submit a pre-cert, the CA issuing the pre-cert has to be complicit.
Thanks for the clarification.
Steve
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
