Hacker News new | ask | show | jobs
by lambdaxyzw 775 days ago
The point of certificate transparency is to have a public audit log of every certificate issued. Even if you had your own CA, you would be obliged to report every certificate you issue to the CT. This is a feature, not a bug.
1 comments
vbezhenar 775 days ago
Certificate Transparency needed to serve website owners and not some greater good. Knowing that someone issued wildcard is enough.
link
jchw 775 days ago
Certificate Transparency really serves the end user.

Because the most popular browsers (at least Chrome and Safari) generally require CT logged certificates, if you want to successfully perform a MitM attack against any user, even just some individual user, even controlling a CA, you still can't do so without publishing your fraudulent certificate to a CT log.

This is the important function of the CT log. It is an effective balance against compromised CAs and governments that might abuse CAs, because it causes such attacks to become quickly tamper-evident.

I don't think it would be possible for a system like this to be effective without publishing the actual certificate to the log.

link
vbezhenar 775 days ago
I don't follow your threat model.

Let's say that browser is fine with CT if either leaf or intermediate certificate is logged.

If you need to issue fake certificate, you need to either log it, or you need to issue fake intermediate certificate and log it.

Either way it's visible to website owner (and other people likely won't care anyway).

link
jchw 775 days ago
It would be completely possible to do it that way, but doing it this way ensures that at no point does certificate issuance become opaque and impossible to scrutinize. We want to ensure that CAs follow certain rules, and CT logs are one way to do this. For example, a CA should not issue a certificate with a forged "not before" time. There are certainly many more cases like this.

Public CT logs mean that the property of transparent certificate issuance extends to the entire Internet, which is good. If you want private certs, you can use a private CA and deploy it to the machines in your domain. Totally reasonable alternative in my opinion.

link