1
edit
CA/CT Redaction: Difference between revisions
Jump to navigation
Jump to search
Added some comments based on experience with Symantec customers
(→Logging Reveals Commercially Sensitive Information: Added bullets) |
Rick.andrews (talk | contribs) (Added some comments based on experience with Symantec customers) |
||
| Line 12: | Line 12: | ||
In Chrome at least, which is currently the only browser that checks CT, enterprises already have this capability via enterprise policies, which do not require the installation of a specific root CA. I.e. they can turn off the CT requirement for particular roots. | In Chrome at least, which is currently the only browser that checks CT, enterprises already have this capability via enterprise policies, which do not require the installation of a specific root CA. I.e. they can turn off the CT requirement for particular roots. | ||
However, Chrome's enterprise policy requires a list of all domain names that may appear in non-logged certs, and some enterprise customers manage hundreds of domains that change frequently. These enterprise customers have said that this approach is not workable. | |||
=== Concealing Network Topography === | === Concealing Network Topography === | ||
| Line 37: | Line 39: | ||
===== Response ===== | ===== Response ===== | ||
Why would someone DOS a random camera just because it was there? | Why would someone DOS a random camera just because it was there? One answer may be found here: [https://rhinosecuritylabs.com/internet-of-things/amazon-key-security-cloudcam-disruption-attacks/] | ||
=== Logging Reveals Geolocation Information === | === Logging Reveals Geolocation Information === | ||
| Line 58: | Line 60: | ||
===== Response ===== | ===== Response ===== | ||
Currently there is no application to use and make trust decisions based on SCTs for these types of Certificates. Other solutions might offer similar properties like https://security.googleblog.com/2017/01/security-through-transparency.html which is based on the CONIKS work from Princeton ( https://coniks.cs.princeton.edu/ ) | Currently there is no application to use and make trust decisions based on SCTs for these types of Certificates. Other solutions might offer similar properties like https://security.googleblog.com/2017/01/security-through-transparency.html which is based on the CONIKS work from Princeton ( https://coniks.cs.princeton.edu/ ) | ||
| Line 69: | Line 72: | ||
Such concerns can be addressed by requiring each CA which uses redaction to have a public process whereby domain owners (who would need to be validated as such) can apply for information about redacted certificates for their domains, and request revocation if they wish. This would need to give the original Applicant for the certificates the right of objection and so could not be an instant or near-instant process. | Such concerns can be addressed by requiring each CA which uses redaction to have a public process whereby domain owners (who would need to be validated as such) can apply for information about redacted certificates for their domains, and request revocation if they wish. This would need to give the original Applicant for the certificates the right of objection and so could not be an instant or near-instant process. | ||
Note that this is issue is not caused by redaction. A domain owner today might find an unredacted cert in a CT log that they don't recognize. They need some recourse too, so we don't need a new recourse mechanism/process just for redacted certs. | |||
=== Redaction Makes Clients More Complex === | === Redaction Makes Clients More Complex === | ||
| Line 77: | Line 82: | ||
CT redaction would reduce internet security due to a loss of visibility and accountability in the Web PKI. This would reduce the value of CT logs to the ecosystem. There is a strong likelihood of "over-redaction", where enterprises choose to redact certificates by default out of misplaced security concerns. Some CAs may simply choose to redact all certificates or redact by default. | CT redaction would reduce internet security due to a loss of visibility and accountability in the Web PKI. This would reduce the value of CT logs to the ecosystem. There is a strong likelihood of "over-redaction", where enterprises choose to redact certificates by default out of misplaced security concerns. Some CAs may simply choose to redact all certificates or redact by default. | ||
===== Response ===== | |||
How much visibility and accountability would be lost by redaction? Redaction would hide a few domain labels in the CN and SANs, but every other DN field and every other extension would be present, allowing monitors to detect nearly all the BR-noncompliance they detect today. | |||
=== Redaction Reduces Visibility and Accountability to Domain Owners === | === Redaction Reduces Visibility and Accountability to Domain Owners === | ||