Running a Certificate Transparency log

(words.filippo.io)

160 points Metalnem | 2 comments | 07 Jul 25 20:36 UTC | HN request time: 0.5s | source

Show context

tonymet ◴[07 Jul 25 21:24 UTC] No.44494808[source]▶

Is any amateur or professional auditing done on the CA system? Something akin to amateur radio auditing?

Consumers and publishers take certificates and certs for granted. I see many broken certs, or brands using the wrong certs and domains for their services.

SSL/TLS has done well to prevent eavesdropping, but it hasn't done well to establish trust and identity.

replies(4): >>44494951 #>>44494961 #>>44496524 #>>44497149 #

1. Spivak ◴[07 Jul 25 21:41 UTC] No.44494961[source]▶

>>44494808 #

I think over the years trust and identity have gone out of scope for TLS—I think for the better. Your identity is your domain and it's not TLS's problem to connect that identity to any real life person or legal entity. I'm sure you still can buy EV certs but no one really cares about them anymore. Certainly browsers no longer care about them. And TLS makes no claim on the trustworthiness of the site you're connecting to, just that the owner of the cert proved control of the domain and that your connection is encrypted.

I can't even imagine how much a pain it would be to try and moderate certs based on some consistent international notion of trustworthiness. I think the best you could hope to do is have 3rd parties like the BBB sign your cert as a way of them "vouching" for you.

replies(1): >>44495552 #

2. NovemberWhiskey ◴[07 Jul 25 23:19 UTC] No.44495552[source]▶

>>44494961 (TP) #

Meet the QWAC.

https://en.m.wikipedia.org/wiki/Qualified_website_authentica...

↑