[cabfpub] Question on CT: Monitoring

Ryan Sleevi sleevi at google.com
Fri Dec 20 21:02:09 UTC 2013

On Thu, Dec 19, 2013 at 7:26 PM, kirk_hall at trendmicro.com <
kirk_hall at trendmicro.com> wrote:

>  Ryan – on this one narrow point below – I would estimate that 99.9% of
> site owners / CA customers do not believe they are at any risk of false
> certificate issuance for their domains and do now want or expect their
> issuing CAs to be (voluntarily and unasked) monitoring all the CT logs in
> the world for them.

I merely suggested that this was a *possibility*, not that it would be
required of any CA.

You were asking under what conditions would a CA be monitoring the CT log,
and I tried to explain one such scenario.

> Plus (based on an earlier hypothetical in an email), I expect some (many?)
> of our customers would be at least mildly offended if our company (who
> supplies them with certs in North America, let’s say) suddenly emailed them
> with the message “Hey, we noticed some certs for your domains issued by
> some small CA in Europe – those must be fake, right?” and would see it as a
> pretty heavy handed marketing effort by us to capture 100% of their SSL
> business.

Perhaps. We're talking in hypotheticals here, and it's hard to say how a
given CA might implement this. That said, if a customer has given strong
signals to a CA (eg: via HPKP, CAA, or some opt-in), it would seem to be a
real shame for that CA not to provide proactive security services to their
customer. Given how many CAs are investing in providing just such services,
it seems reasonable to suggest that at least some will adopt CT as an
augmentation of providing their customers with an even higher level of

> I really don’t see that kind of CT log monitoring as a useful or welcome
> market service to most SSL customers, unless they specifically ask a CA to
> monitor all the CT logs in the world for them and send them reports.  I
> predict most customers won’t be very interested in this service (especially
> if there is a fee), but who knows?

How it's implemented is certainly up to the CA, and it's reasonable to
believe that some CAs will implement it in a customer-friendly manner, and
some will implement it in a customer-hostile manner. That's just business
as usual, and applies to any industry.

I would hope that, as CT is deployed, CAs would already be proactively
monitoring the logs, such as to measure for their own misissuance (in a
world where CT becomes mandatory for all certs, and not just EV certs). As
Chris Palmer has suggested elsewhere, CT provides signals not just to the
public, but to the CAs themselves. To also monitor such logs on their
customers behalf, whether at explicit request or based upon some signals,
seems to be a negligible cost, but that is of course up to the CAs to

I'm merely explaining how, in a world with CT, there are many benefits to
the many actors in the system, and a significant reduction in risk - for
all parties.

> *From:* public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] *On
> Behalf Of *Ryan Sleevi
> *Sent:* Thursday, December 19, 2013 8:17 PM
> *To:* Rick Andrews
> *Cc:* CABFPub
> *Subject:* Re: [cabfpub] Question on CT: Monitoring
> “What is the reasoning behind the belief that most monitors will be
> operated by CAs?” My guess is that it’s because we have the relationship
> with the customer.
> Exactly that. CAs are in the best position to know who their customers
> are, and already have channels with their customers. Whether or not a CA
> cares about protecting their users against misissuance is, of course, up to
> each individual CA, but considering how much has been said about the need
> to "restore trust in the ecosystem" - much of which has been lost due to CA
> misissuance or misbehaviour - it seems very much in line with the business
> interests of CAs to offer this.
> The information contained in this email and any attachments is confidential
> and may be subject to copyright or other intellectual property protection.
> If you are not the intended recipient, you are not authorized to use or
> disclose this information, and we request that you notify us by reply mail or
> telephone and delete the original message from your mail system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20131220/75f877c7/attachment-0003.html>

More information about the Public mailing list