[Cryptography] The Trouble with Certificate Transparency

[James A. Donald]

On 2014-09-26 05:15, Eric Mill wrote:
> On Thu, Sep 25, 2014 at 1:52 AM, Ralf Senderek <crypto at senderek.ie
> <mailto:crypto at senderek.ie>> wrote:
>
>
>     Given the powers of a post-snowden MITM, the claim in Greg's posting
>     seems
>     legitimate. At the moment when the browser makes the connection it is
>     undetectable that the browser is being fooled, _unless_ the browser
>     keeps track of the certificates it's visiting over time.

At the moment the browser makes the connection, it is told that the 
current root hash for all certificates at the current time is X.  It 
receives a signed statement that X is the root hash for the current 
period, and hash path leading from the certificate to the root hash.

So, if browser deceived, only the entity signing the root hash can 
deceive it.

Later, the browser contacts one of the entities that monitor the 
entities signing the root hash.

If the signed assurance it has received is inconsistent with the global 
root has that the monitor has received, the monitor will have proof that 
the entity signing the root has is unreliable - the monitor will have 
two inconsistent signed statements as to the condition of the global 
root hash.

And pretty soon, that entity is discredited.

So, by and by, only reliable entities sign the global root hash.


To be an entity accepted to sign the global root hash, have to be 
monitored by several monitoring entities, who also monitor each other.

If accepted for any length of time, then not making mutually 
contradictory signatures of the global root hash.

If not making mutually contradictory signatures of the global root hash, 
then a hash path from an assertion containing information about a 
globally unique name, to the global root hash, such as an assertion 
about the public keys controlled by the rightful owner of that name is 
proof that everyone, including the owner of that name, sees the same 
information.