Hacker News new | ask | show | jobs
by adolph 132 days ago
> certificate authority logs, which are actively monitored by vulnerability scanners

That sounds like a large kick-me sign taped to every new service. Reading how certificate transparency (CT) works leads me to think that there was a missed opportunity to publish hashes to the logs instead of the actual certificate data. That way a browser performing a certificate check can verify in CT, but a spammer can't monitor CT for new domains.

https://certificate.transparency.dev/howctworks/
1 comments
wlonkly 131 days ago
I think it was more of an intentional tradeoff, as one of the many goals of CT logs was to allow domain owners to discover certificates issued for their domains, or more generally for any interested party to audit the activity of a certificate authority.

What you're describing there is certificate... translucency, I guess?

link
adolph 131 days ago
Yes, "translucent database" was exactly the concept I thought of when asking the question. The concept is keep access to specific items easy but accessing the entire thing as a whole more costly.
link