undefined | Better HN

0 pointsakerl_2y ago0 comments

In addition to what nickf said in the parallel comment, CAs have committed to CT logging as part of being included in browser trust stores. If anyone were to find and report any certificates issued by those CAs via their trusted certificates that were not in CT logs, that would be strong evidence for browsers to remove them from the trust stores, which would essentially destroy their company.

0 comments

agwa2y ago

That is not true. CAs are not required to log their certificates. Instead, Chrome and Safari by default do not accept certificates unless they are accompanied by a signed receipt from a recognized log. If you don't need your certificate to work in a default-configured Chrome or Safari there is no need for your certificate to be logged.

Source: I work in this space

tptacek2y ago

Here what you really mean is "if your certificates will never touch Chrome", because it's not just that Chrome won't accept them, but that Chrome's SCT auditing is part of a surveillance system for certificate misissuance.

agwa2y ago

I'm not sure what you mean by "surveillance system for certificate misissuance". Chrome's SCT auditing has nothing to do with detecting certificate misissuance; just misbehaving logs.

1 more reply

j / k navigate · click thread line to collapse

0 pointsakerl_2y ago0 comments

0 comments

agwa2y ago

Source: I work in this space

tptacek2y ago

agwa2y ago

I'm not sure what you mean by "surveillance system for certificate misissuance". Chrome's SCT auditing has nothing to do with detecting certificate misissuance; just misbehaving logs.

1 more reply

j / k navigate · click thread line to collapse