[cabfpub] Question on CT: Monitoring
bhill at paypal.com
Fri Dec 20 00:55:50 UTC 2013
Yes. As was the case for Diginotar, seeing valid certificates off your root show up with serial numbers you don't know about would be a strong indicator of compromise.
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Wayne Thayer
Sent: Thursday, December 19, 2013 4:53 PM
To: Rick Andrews; CABFPub
Subject: Re: [cabfpub] Question on CT: Monitoring
I understand that a CA would have to monitor other logs (for that matter a CA doesn't have to operate its own log), but what would a CA look for in those logs? My point is that a CA would most likely already know everything about every cert it issued, so I can only guess that a CA would monitor logs for certs it didn't issue?
From: Rick Andrews [mailto:Rick_Andrews at symantec.com]
Sent: Thursday, December 19, 2013 5:41 PM
To: Wayne Thayer; CABFPub
Subject: RE: Question on CT: Monitoring
"What would a CA learn from a CT monitor that it wouldn't know from its own database?" Anyone acting as a monitor would have to monitor _all_ logs, not just the one that the CA might be running. That's how it would know more than what's in its own db. The CA/monitor would thus be examining all certs issued by all CAs that logged them since the last time it checked.
I pointed out that the CT spec doesn't define how a monitor learns about all the logs it needs to monitor, nor how it would learn that a log had become untrusted.
"What is the reasoning behind the belief that most monitors will be operated by CAs?" My guess is that it's because we have the relationship with the customer.
From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of Wayne Thayer
Sent: Thursday, December 19, 2013 4:31 PM
Subject: [cabfpub] Question on CT: Monitoring
<I'm continuing to explore some of the questions I asked a few days ago, but starting a new thread since the old one has moved on.>
The CT Website says this:
Most monitors will likely be operated by certificate authorities. This configuration lets certificate authorities build efficient monitors that are tailored to their own specific monitoring standards and requirements.
Can someone explain what is envisioned with CAs running monitors? I assumed that companies like Google would run monitors on their own domains or organizations like the EFF would audit all certificates for compliance. What would a CA learn from a CT monitor that it wouldn't know from its own database?
I guess the obvious answer is that a compromised CA might not know about all of the certs it had issued? But in that case those certs also wouldn't have valid OCSP responses and could be detected via bad OCSP requests.
I also understand that there may be value in the CA offering monitoring services to their customers if the CA decides they want to be in that business.
What is the reasoning behind the belief that most monitors will be operated by CAs?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public