
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">

<meta name="Generator" content="Microsoft Word 15 (filtered medium)">

<style><!--

/* Font Definitions */

@font-face

        {font-family:"Cambria Math";

        panose-1:2 4 5 3 5 4 6 3 2 4;}

@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}

@font-face

        {font-family:Verdana;

        panose-1:2 11 6 4 3 5 4 4 2 4;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0in;

        margin-bottom:.0001pt;

        font-size:11.0pt;

        font-family:"Calibri","sans-serif";}

a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:#0563C1;

        text-decoration:underline;}

a:visited, span.MsoHyperlinkFollowed

        {mso-style-priority:99;

        color:#954F72;

        text-decoration:underline;}

span.EmailStyle17

        {mso-style-type:personal-compose;

        font-family:"Calibri","sans-serif";

        color:windowtext;}

span.apple-converted-space

        {mso-style-name:apple-converted-space;}

.MsoChpDefault

        {mso-style-type:export-only;

        font-family:"Calibri","sans-serif";}

@page WordSection1

        {size:8.5in 11.0in;

        margin:1.0in 1.0in 1.0in 1.0in;}

div.WordSection1

        {page:WordSection1;}

--></style><!--[if gte mso 9]><xml>

<o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

<o:shapelayout v:ext="edit">

<o:idmap v:ext="edit" data="1" />

</o:shapelayout></xml><![endif]-->

</head>

<body lang="EN-US" link="#0563C1" vlink="#954F72">

<div class="WordSection1">

<p class="MsoNormal"><I’m continuing to explore some of the questions I asked a few days ago, but starting a new thread since the old one has moved on.><o:p></o:p></p>

<p class="MsoNormal"><o:p> </o:p></p>

<p class="MsoNormal">The CT Website says this:<o:p></o:p></p>

<p class="MsoNormal"><o:p> </o:p></p>

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black;background:white">Most monitors will likely be operated by certificate authorities. This configuration lets certificate authorities build efficient monitors that

 are tailored to their own specific monitoring standards and requirements.<span class="apple-converted-space"><o:p></o:p></span></span></p>

<p class="MsoNormal"><span class="apple-converted-space"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black;background:white"><o:p> </o:p></span></span></p>

<p class="MsoNormal"><span class="apple-converted-space"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black;background:white">Can someone explain what is envisioned with CAs running monitors?  I assumed that companies like Google would

 run monitors on their own domains or organizations like the EFF would audit all certificates for compliance.  What would a CA learn from a CT monitor that it wouldn’t know from its own database?<o:p></o:p></span></span></p>

<p class="MsoNormal"><span class="apple-converted-space"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black;background:white"><o:p> </o:p></span></span></p>

<p class="MsoNormal"><span class="apple-converted-space"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black;background:white">I guess the obvious answer is that a compromised CA might not know about all of the certs it had issued? 

 But in that case those certs also wouldn’t have valid OCSP responses and could be detected via bad OCSP requests.<o:p></o:p></span></span></p>

<p class="MsoNormal"><span class="apple-converted-space"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black;background:white"><o:p> </o:p></span></span></p>

<p class="MsoNormal"><span class="apple-converted-space"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black;background:white">I also understand that there may be value in the CA offering monitoring services to their customers if the

 CA decides they want to be in that business.<o:p></o:p></span></span></p>

<p class="MsoNormal"><span class="apple-converted-space"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black;background:white"><o:p> </o:p></span></span></p>

<p class="MsoNormal"><span class="apple-converted-space"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black;background:white">What is the reasoning behind the belief that most monitors will be operated by CAs?<o:p></o:p></span></span></p>

<p class="MsoNormal"><span class="apple-converted-space"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black;background:white"><o:p> </o:p></span></span></p>

<p class="MsoNormal"><span class="apple-converted-space"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black;background:white">Thanks,<o:p></o:p></span></span></p>

<p class="MsoNormal"><span class="apple-converted-space"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black;background:white"><o:p> </o:p></span></span></p>

<p class="MsoNormal"><span class="apple-converted-space"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black;background:white">Wayne</span></span><o:p></o:p></p>

<p class="MsoNormal"><o:p></o:p></p>

</div>

</body>

</html>