So basically we have: if you mis-issue an end-entity cert and don't update the CT logs, the cert won't work; mis-issue the cert and update the logs with the mis-issuance and everything works just fine.
As you say, someone might notice it and say something but there is also a chance that nobody will figure it out. Follow-up question: how much time must transpire from the time a cert is issued to when a browser is expected to start accepting it? Original Message From: Chris Palmer Sent: Tuesday, April 14, 2015 1:09 PM To: Peter Kurrasch Cc: Rob Stradling; dev-security-policy Subject: Re: What is the security benefit of certificate transparency? Problem: Mis-issuance sometimes happens, whether by accident or by attack. We don't always know about mis-issuance when it happens. Sometimes we learn by luck; but without luck, it's invisible. Solution: Require issuers to issue in the public. "Require" here means "as a matter of policy in e.g. CA/Browser Forum and Mozilla Root Program" and "the UA will reject, at run-time, certificate chains that were not provably issued in public". The latter mechanism makes it impossible to mis-issue invisibly. People who care about mis-issuance, whether globally or just for their own sites, run a shell script to check the public logs every day/hour. I think it's obvious that a lot of people care about mis-issuance, and that writing shell scripts is pretty easy. For example, even with the current luck-powered detection system, we have plenty of hue and cry. Such as on this mailing list. Indeed, I'd say a bigger problem will be that we might discover much more mis-issuance, at least at first, and that this list will get *too* busy... _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy