If you're a CA you can just issue a cert and not publish it in the CT logs. You're not ...

0xbadcafebee • today at 4:32 AM • 1 reply • view on HN

If you're a CA you can just issue a cert and not publish it in the CT logs. You're not supposed to do that, but there is nothing stopping it. And the attack isn't stopped even if they do publish in CT. And you have to monitor for it anyway.

Every single mitigation for known Web PKI vulns can be worked around (if people use them, which virtually nobody does).

Replies

joxdosba • today at 7:07 AM

> If you're a CA you can just issue a cert and not publish it in the CT logs. You're not supposed to do that, but there is nothing stopping it.

Browsers have mandated CT logging for years and will not accept such a certificate.

Why is it so common to incorrectly assume that the people who came up with CT were stupid?

➕ show 1 reply

alt Hacker News

Replies