Comment

Isn’t this just CRL in reverse? Part of the point of cryptographically signing a cert is so you don’t have to do this if you trust the issuer.

Sort:hotnew top

cron@feddit.org ⁨4⁩ ⁨hours⁩ ago
No, these are completely separate issues.

CRL: protect against certificates that have their private key compromised

CT: protect against incompetent or malicious Certificate Authorities.

This is just one example why we have certificate transparency. Revocation wouldn’t be useful if it isn’t even known which certificates need revocation.

The National Informatics Centre (NIC) of India, a subordinate CA of the Indian Controller of Certifying Authorities (India CCA), issues rogue certificates for Google and Yahoo domains. NIC claims that their issuance process was compromised and that only four certificates were misissued. However, Google is aware of misissued certificates not reported by NIC, so it can only be assumed that the scope of the breach is unknown.

Source
source
Auli@lemmy.ca ⁨4⁩ ⁨hours⁩ ago
Or the more likely a rouge certificate authority giving out certs it shouldn’t.

source