Ben Laurie blathering

Fixing CAs

Adam Langley and I have a proposal to bolster up the rather fragile Certificate Authority infrastructure.

TL;DNR: certificates are registered in a public audit log. Servers present proofs that their certificate is registered, along with the certificate itself. Clients check these proofs and domain owners monitor the logs. If a CA mis-issues a certificate then either

  • There is no proof of registration, so the browser rejects the certificate, or
  • There is a proof of registration and the certificate is published in the log, in which case the domain owner notices and complains, or
  • There is a proof of registration but the certificate does not appear in the log, in which case the proof is now proof that the log misbehaved and should be struck off.

And that, as they say, is that.

Update: Adam has blogged, exploring the design space.


  1. I’m reading your paper now, but in the meant time – why not something like instead, Ben? It’s explained in detail here:

    Seems like a nice, clean solution. I’ve heard that a few people have argued against it, but haven’t seen the arguments against something like Convergence.

    Comment by Manu Sporny — 30 Nov 2011 @ 0:42

  2. “…Because of this we intend to leave revocation for a later phase of the project.”

    I think there are two main problems with the current system:
    – transparency of the certificate creation, e.g. who issued which certificates.
    This is addresses by this proposal.
    – a revocation system which is transparent (why revoked), resistant against misuse (who authorizes revocation) and stable (don’t ignore errors).
    This is not enough addressed in this proposal, not in Convergence etc

    Comment by Steffen Ullrich — 2 Dec 2011 @ 11:37

  3. […] LinksBen Laurie blathering « Fixing CAs […]

    Pingback by Links » Certificate Transparency Sites — 4 Feb 2012 @ 22:50

  4. […] lot of people didn’t like that the original version had a delay before you could issue a new certificate. So, we redesigned the protocol to avoid that […]

    Pingback by Links » Certificate Transparency Version 2 — 31 Jul 2012 @ 23:47

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress