21
edits
CA/CT Redaction: Difference between revisions
Jump to navigation
Jump to search
Update with the counter-arguments provided against this approach in the past
(A few clean-ups) |
(Update with the counter-arguments provided against this approach in the past) |
||
| Line 68: | Line 68: | ||
===== Response ===== | ===== Response ===== | ||
Such concerns can be addressed by requiring each CA which uses redaction to have a public process whereby domain owners (who would need to be validated as such) can apply for information about redacted certificates for their domains, and request revocation if they wish. This would need to give the original Applicant for the certificates the right of objection and so could not be an instant or near-instant process. | Such concerns can be addressed by requiring each CA which uses redaction to have a public process whereby domain owners (who would need to be validated as such) can apply for information about redacted certificates for their domains, and request revocation if they wish. This would need to give the original Applicant for the certificates the right of objection and so could not be an instant or near-instant process. | ||
Note that this is issue is not caused by redaction. A domain owner today might find an unredacted cert in a CT log that they don't recognize. They need some recourse too, so we don't need a new recourse mechanism/process just for redacted certs. | Note that this is issue is not caused by redaction. A domain owner today might find an unredacted cert in a CT log that they don't recognize. They need some recourse too, so we don't need a new recourse mechanism/process just for redacted certs. | ||
===== Problems ===== | |||
While process is beneficial, the identified options are either "unredact" or "revoke". Solutions that involve "unredact" undermine the various arguments in favor of redaction, such as preventing network topology enumeration, as a single temporary DNS takeover (or BGP redirect) could result in full enumeration. Solutions that involve "revoke" create even greater risk if temporary control can result in complete revocation, but also can result in situations where the certificate was legitimately requested and redacted, but not through the appropriate internal channels, results in improper revocation by the subscriber. | |||
Thus processes for domain unredaction or unrevocation need to consider whether all of the arguments in favor of redaction can be satisfied with such a process, and if processes like multiple observations or continuous observations over a sustained period of time are used, whether they end up harming security more than helping. | |||
=== Redaction Makes Clients More Complex === | === Redaction Makes Clients More Complex === | ||