[cabfpub] Question on CT: Monitoring

[Wayne Thayer]

<I'm continuing to explore some of the questions I asked a few days ago, but starting a new thread since the old one has moved on.>

The CT Website says this:

Most monitors will likely be operated by certificate authorities. This configuration lets certificate authorities build efficient monitors that are tailored to their own specific monitoring standards and requirements.

Can someone explain what is envisioned with CAs running monitors?  I assumed that companies like Google would run monitors on their own domains or organizations like the EFF would audit all certificates for compliance.  What would a CA learn from a CT monitor that it wouldn't know from its own database?

I guess the obvious answer is that a compromised CA might not know about all of the certs it had issued?  But in that case those certs also wouldn't have valid OCSP responses and could be detected via bad OCSP requests.

I also understand that there may be value in the CA offering monitoring services to their customers if the CA decides they want to be in that business.

What is the reasoning behind the belief that most monitors will be operated by CAs?

Thanks,

Wayne
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20131220/f8f2e472/attachment.html