On 09/06/15 04:05, Clint Wilson wrote:
To further support your claims here, Chris, there are already tools coming out
which actively monitor domains in CT logs and can be set up with notifications
of misissuance:
https://www.digicert.com/certificate-monitoring/
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/EPv_u9V06n0
This type of tool for CT is only going to improve with time.
If you act as a CT monitor yourself, you can be sure that the logs
aren't misbehaving. But if you rely on a third party to monitor the
logs for you, you have to trust that third party.
Therefore, ISTM that some domain owners might want to be able to use the
services of multiple independent monitors simultaneously.
So I'm wondering if the TRANS WG should think about standardizing a JSON
API for searching CT logs and for setting up notifications of
(mis-)issuance. The server side of this API could be implemented by
services such as https://crt.sh or even directly by the logs themselves.
Thoughts?
On Monday, June 8, 2015 at 5:23:14 PM UTC-6, Chris Palmer wrote:
For the sake of argument let's suppose I generate a cert for
"googlecares[dot]com" and it shows up in the CT logs. What happens next?
A shell script notices this and pages the team responsible for
managing the company's online identities. Then, company
representatives have a phone call with the issuing CA. History shows
that various things may come from that, depending on the
circumstances.
<snip>
You seem to be assuming that web site operators can't write shell
scripts, and don't care about their public names and public keys, and
<snip>
BTW, you probably won't be surprised to hear that I've been trying to
think of reasons to create a shell script called "crt.sh". ;-)
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
