Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It would be impossible to enforce that issued certs are submitted to certificate transparency logs and this would break the security model around the ca system.


I don't understand the difference between wildcard certificate and intermediate certificate.

Intermediate certificate is more secure because you can use different certificates for different subdomains, insead of sharing private key for wildcard certificate with every subdomain server.

Whether it hits CT or not - is not relevant at all. What matters is if intermediate certificate hits CT.


A wildcard covers one single level of sub-domains. An NC'd CA can be used to issue for anything. Nameconstraints are 'enforced' on the client side and many don't support it. Running a public CA - even with a nameconstrained CA, is a challenge to do properly.


One of the parents claims that everything supports name constraints now, so my suggestion was with this assumption in mind.


Wouldn't the name constrain address this?


It would address the policy side, but not the transparency side (which is arguably critical to the Web PKI’s current security model).


I thought that the main problem that certificate transparency addresses is the fact that multiple certificate authorities can all issue certificates for all domains (i.e. there is an overlap in the name space).

So when a CA gets compromised in some part of the the world (or gets manipulated by a state actor that effectively runs the CA) somebody could just emit a valid certificate for a domain you control.

In case of private intermediate name restricted CAs, that can be addressed by logging the issuance of the intermedia CAs.


> I thought that the main problem that certificate transparency addresses is the fact that multiple certificate authorities can all issue certificates for all domains (i.e. there is an overlap in the name space).

Yep, that's a "main" thing that CT is intended to address. But it has other useful applications as well: because anybody (including website operators) can monitor the transparency log, they can additionally assert that their own trusted CA is not issuing more than one certificate for the domains they control.

Logging only the name-constrained intermediate CA would make third-party monitoring less useful. It would also have a perverse effect on attacker incentives: the attacker now only needs to compromise a user-controlled CA with a likely to be weaker security posture.

(That being said, maybe these tradeoffs are worth it! I don't have a strong opinion about that, other than my impression that the status quo with Let's Encrypt + intentionally leaking a few private subdomains isn't really that bad.)


Yeah the tradeoff here is that this is intended to replace the use of a wildcard certificate which wouldn't benefit of logging every hostname anyway




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: