←back to thread

Running a Certificate Transparency log

(words.filippo.io)
160 points Metalnem | 3 comments | 07 Jul 25 20:36 UTC | HN request time: 0s | source
Show context
tonymet ◴[07 Jul 25 21:24 UTC] No.44494808[source]
Is any amateur or professional auditing done on the CA system? Something akin to amateur radio auditing?

Consumers and publishers take certificates and certs for granted. I see many broken certs, or brands using the wrong certs and domains for their services.

SSL/TLS has done well to prevent eavesdropping, but it hasn't done well to establish trust and identity.

replies(4): >>44494951 #>>44494961 #>>44496524 #>>44497149 #
dlgeek ◴[08 Jul 25 04:45 UTC] No.44497149[source]
Yes. All CAs trusted by browsers have to go through WebTRUST or ETSI audits by accredited auditors.

See https://www.mozilla.org/en-US/about/governance/policies/secu... and https://www.ccadb.org/auditors and https://www.ccadb.org/policy#51-audit-statement-content

replies(2): >>44497273 #>>44503762 #
1. tptacek ◴[08 Jul 25 05:08 UTC] No.44497273[source]
As I understand them, these are accounting audits, similar (if perhaps more detail) to a SOC2. The real thing keeping CAs from being gravely insecure is the CA death penalty Google will inflict if a CA suffers a security breach that results in any kind of misissuance.
replies(1): >>44497363 #
2. creatonez ◴[08 Jul 25 05:30 UTC] No.44497363[source]
It's not just Google, but also Mozilla, Apple, and Microsoft. They all work together on shutting down bad behavior.

Apple and Microsoft mainly have power because they control Safari and Edge. Firefox is of course dying, but they still wield significant power because their trusted CA list is copied by all the major Linux distributions that run on servers.

replies(1): >>44497465 #
3. tptacek ◴[08 Jul 25 05:54 UTC] No.44497465[source]
Sure. I think Google and Mozilla have been the prime movers to date, but everyone has upped their game since Verisign/Symantec.