[cabfpub] Misissuance of certificates

Doug Beattie doug.beattie at globalsign.com
Mon Nov 9 17:18:52 UTC 2015


You're so agreeable today!


It's only a matter of time before CT will be mandatory, so we all need to be
looking down the road and try to figure out how this is going to work.  As
far as name redaction, the Domain Name will be disclosed in the certificate
CN/SAN fields but not necessarially the node values to the left.  This will
allow everyone to know that a cert was issued to some server on domain.com,
but not the exact value.  This will be useful for those that want to monitor
issuance of certs to their domains.  If the find one then they can track
down and inquire about the details with the CA directly. 




From: Eddy Nigg [mailto:eddy_nigg at startcom.org] 
Sent: Monday, November 9, 2015 12:09 PM
To: Doug Beattie <doug.beattie at globalsign.com>; Dean Coclin
<Dean_Coclin at symantec.com>; public at cabforum.org
Subject: Re: [cabfpub] Misissuance of certificates

We had been planning to use CT with name redaction to support making all
certificates publicly available without exposing the exact FQDNs being

Is that even possible? I don't think so, otherwise what's the use for CT in
first place...

And with this understanding why CT should be optional and subject to the
subscriber's consent in first place I guess. 





Eddy Nigg, COO/CTO


StartCom Ltd. <http://www.startcom.org> 


startcom at startcom.org <xmpp:startcom at startcom.org> 


Join the Revolution! <http://blog.startcom.org> 


Follow Me <http://twitter.com/eddy_nigg> 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151109/60c088ee/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4289 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151109/60c088ee/attachment-0001.p7s>

More information about the Public mailing list