On Mon, 5 Oct 2020 12:57:31 +0100
"'Kat Joyce' via Certificate Transparency Policy"
<
ct-p...@chromium.org> wrote:
> I hope everyone enjoyed last month's virtual CT days as much as I did
> - it was great to actually see so many of the CT community "in
> person" again!
Agreed!
> One of the things that came up on the first day was that, given we
> have moved to temporal Logs for server certificates now, having a Log
> that accepted certificates for which CA=TRUE would be useful.
>
> I made the mistake of not noting down all of the reasons that this
> would be useful that were discussed that day, and I know there were a
> few from a few different people. In the hope of enumerating all of
> the benefits of running this Log, would people please reply to this
> email with the reasons you'd like to see a CA=TRUE Log run? I have a
> couple, but I don't want to miss any, so no matter how obvious or
> subtle you may think a reason is, please do post it!
The benefit is the discovery of CA certificates capable of issuing
TLS server certificates, whether or not they have actually done so.
Over the years, many unaudited and otherwise undisclosed
TLS-capable CA=TRUE certificates have been submitted to CT logs,
which the community has leveraged to create useful tools like
<
https://crt.sh/mozilla-disclosures>. This has unquestionably improved
the security of the WebPKI: unaudited CA=TRUE certificates are dangerous
since there are no assurances of how their key material is protected.
Although CT lets us know if their key material is ever used to
misissue a TLS certificate, it's preferable to prevent misissuance than
detect it after the fact - CT is not a replacement for audits.
As the CT ecosystem moves to temporally-sharded logs that only
accept TLS certificates, the WebPKI will lose a place for these
CA=TRUE certificates to be submitted. The CCADB is not a sufficient
replacement because only CAs can submit there, and historically
CAs have been very bad at disclosing intermediate certificates.
(After all, if we could trust CAs, there would be no need for CT.)
And although CT log entries can contain CA=TRUE certificates
in extra_data, this only suffices if the submitter who finds the CA=TRUE
certificate also finds an end-entity certificate which is accepted by
the log. This is not always the case. For example, Tavis Ormandy
found undisclosed, TLS-capable intermediates embedded in PDF files,
and most of the end-entity certificates were not TLS certificates:
https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/sNDN6q26_uM/uaOthN1yAAAJ
Arguably, the verifiable properties of CT are not needed for storing
CA=TRUE certificates. However, we already have a CT ecosystem consisting
of a specification, log implementations, monitor implementations,
submission tools, and awareness among security researchers. It would be
easier to reuse CT for storing CA=TRUE certificates than to undertake
the effort of building and evangelizing a new system. Presumably, the
overhead from CT's verifiability won't be a problem - there are fewer
than 200,000 CA=TRUE certificates in CT right now and new ones are not
created at a very fast rate.
Regards,
Andrew