[cabfpub] Question on CT: Monitoring

Ryan Sleevi sleevi at google.com
Fri Dec 20 01:16:39 UTC 2013


On Thu, Dec 19, 2013 at 4:40 PM, Rick Andrews <Rick_Andrews at symantec.com>wrote:

> Wayne,
>
>
>
> “What would a CA learn from a CT monitor that it wouldn’t know from its
> own database?” Anyone acting as a monitor would have to monitor _all_ logs,
> not just the one that the CA might be running. That’s how it would know
> more than what’s in its own db. The CA/monitor would thus be examining all
> certs issued by all CAs that logged them since the last time it checked.
>

Every CA knows they have a relationship with their customers. As such,
they're perfectly capable of offering monitoring as a value-add service for
their customer.

Eg: "You've got example.com, *.example.com, and mail.example.com from us.
However, we noticed that this small CA in Europe just issued a set of certs
for domains under example.com. Because we CA's proactively care about
security, we wanted to reach out to you"


>
>
> I pointed out that the CT spec doesn’t define how a monitor learns about
> all the logs it needs to monitor, nor how it would learn that a log had
> become untrusted.
>

That's not the point of the spec, however, much in the same way that RFC
5280 does not define what every trust root is or how a trust root is
removed.

Clients that implement CT will indicate the logs that they trust - much in
the same way that they indicate the CAs that they trust or the public
suffices that they recognize.

On the upside, operating a CT log is far *less* of a security risk to
users, and thus *adding* CT logs to user agents is envisioned to be an
incredibly simple task for log operators and vendors, and likely
automatically updated. The risk of removing a CT only affects those CAs
that trusted the log and the customers' whose certificates they have logged
there, so it allows CAs far greater flexibility in choosing the appropriate
guarantees - both in terms of availability (for their issuance) and
security (to avoid distrusting).


>
>
> “What is the reasoning behind the belief that most monitors will be
> operated by CAs?” My guess is that it’s because we have the relationship
> with the customer.
>

Exactly that. CAs are in the best position to know who their customers are,
and already have channels with their customers. Whether or not a CA cares
about protecting their users against misissuance is, of course, up to each
individual CA, but considering how much has been said about the need to
"restore trust in the ecosystem" - much of which has been lost due to CA
misissuance or misbehaviour - it seems very much in line with the business
interests of CAs to offer this.


>
>
> -Rick
>
>
>
> *From:* public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] *On
> Behalf Of *Wayne Thayer
> *Sent:* Thursday, December 19, 2013 4:31 PM
> *To:* CABFPub
> *Subject:* [cabfpub] Question on CT: Monitoring
>
>
>
> <I’m continuing to explore some of the questions I asked a few days ago,
> but starting a new thread since the old one has moved on.>
>
>
>
> The CT Website says this:
>
>
>
> Most monitors will likely be operated by certificate authorities. This
> configuration lets certificate authorities build efficient monitors that
> are tailored to their own specific monitoring standards and requirements.
>
>
>
> Can someone explain what is envisioned with CAs running monitors?  I
> assumed that companies like Google would run monitors on their own domains
> or organizations like the EFF would audit all certificates for compliance.
> What would a CA learn from a CT monitor that it wouldn’t know from its own
> database?
>
>
>
> I guess the obvious answer is that a compromised CA might not know about
> all of the certs it had issued?  But in that case those certs also wouldn’t
> have valid OCSP responses and could be detected via bad OCSP requests.
>
>
>
> I also understand that there may be value in the CA offering monitoring
> services to their customers if the CA decides they want to be in that
> business.
>
>
>
> What is the reasoning behind the belief that most monitors will be
> operated by CAs?
>
>
>
> Thanks,
>
>
>
> Wayne
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20131219/9c325243/attachment-0003.html>


More information about the Public mailing list