I don't think 'Certificate Transparency' is all it is made out to be.
Why Google has abandoned enforcing certificate revocation via OCSP and CRL, is beyond me. You are the only ones with the position to get the CA's to return revocation information in a timely and meaningful manner - why not do that instead?
Once CT is running, it will just be THAT much easier for all CA's and CA resellers to just tie to that system and market to all the users of those certs (thusly annoying everyone more than they do already with their scanning to get the same data). At least with scanning there is some barrier to entry and time required to do the task...
Why not Hash the domains in CT and only allow 3rd parties to request the presence of the domain via hash (or something similar)? The way it is now, you are just providing SSL Selling Parties a direct marketing list. Google seems smarter than that...
Anyway, glad that this India NIC event seems reasonably well contained, in Chrome, at least. What actions has MSFT taken to limit impact on IE users?
I would like to know whether other rogue certificates found under CCA. Also, whether the others were also issued by NICCA or some other authority under CCA, and if so, which one.
If we could migrate over to DANE, we could do away with this entire CA structure. There would be no need to "trust" these hundreds of (possibly corrupt, possibly hacked) CA:s spread over the entire world.
A good first step would be to get DANE support (back) in Chrome ;)
Google, when will you start using DNSSEC (http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) and DNS-based Authentication of Named Entities (DANE, RFC6698) to combat such "attacks"?
CCA India confirms that suspension and revocation of NIC CA has been reverted from there end but still on Chrome SSL issued by NIC and other DSCs are not working on chrome and IE. My question to Google is that why Chrome is still not allowing it...
Follow
11 comments :
I don't think 'Certificate Transparency' is all it is made out to be.
Why Google has abandoned enforcing certificate revocation via OCSP and CRL, is beyond me. You are the only ones with the position to get the CA's to return revocation information in a timely and meaningful manner - why not do that instead?
Once CT is running, it will just be THAT much easier for all CA's and CA resellers to just tie to that system and market to all the users of those certs (thusly annoying everyone more than they do already with their scanning to get the same data). At least with scanning there is some barrier to entry and time required to do the task...
Why not Hash the domains in CT and only allow 3rd parties to request the presence of the domain via hash (or something similar)? The way it is now, you are just providing SSL Selling Parties a direct marketing list. Google seems smarter than that...
Anyway, glad that this India NIC event seems reasonably well contained, in Chrome, at least. What actions has MSFT taken to limit impact on IE users?
Could you please clarify what do you mean by Google Domains?
I would like to know whether other rogue certificates found under CCA. Also, whether the others were also issued by NICCA or some other authority under CCA, and if so, which one.
Um. So is Google still formally opposed to cert revocation checks?
If we could migrate over to DANE, we could do away with this entire CA structure. There would be no need to "trust" these hundreds of (possibly corrupt, possibly hacked) CA:s spread over the entire world.
A good first step would be to get DANE support (back) in Chrome ;)
Do you know SSLCop ? http://www.security-projects.com/?SSLCop
Google, when will you start using DNSSEC (http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) and DNS-based Authentication of Named Entities (DANE, RFC6698) to combat such "attacks"?
Hello,
I was wondering how you detected the rogue certificates?
Thanks.
Could you do this for most CAs where they have an obvious scope, especially those operated by country governments?
CCA India confirms that suspension and revocation of NIC CA has been reverted from there end but still on Chrome SSL issued by NIC and other DSCs are not working on chrome and IE. My question to Google is that why Chrome is still not allowing it...
Thanks
Kaushlesh Kumar
don't think 'Certificate Transparency' is all it is made out to be.
digital certificate
Post a Comment