ekrDec 15, 2023
The challenge here is ensuring that CAs are actually publishing every certificate. If your concern is that the CA was intentionally misissuing, it might just choose not to publish the bogus certificate.
Show threadekrDec 15, 2023

The first step is to have the client (i.e., the browser) check that the certificate was published, thus hopefully forcing the CA to publish it. But now we have to confront the definition of "publish". How do we know the CA published to everyone?

For instance, if the CA has it on their web site and sends it to clients but not to sites when they check, then the system breaks down.

Show threadekr

The standard solution here is what's called a consensus system. Effectively, you compute a summary of all the published certificates (typically by assembling them into a Merkle hash tree). See the post for more detail on this.

Next, you need some mechanism whereby each element in the system can assure itself that it has the same summary as everyone else (this is actually the hard part).

Dec 15, 2023 at 5:31pmWeb
Show threadekrDec 15, 2023

Next, you need some mechanism whereby each element in the system can assure itself that it has the same summary as everyone else (this is actually the hard part).

Finally, when you go to the Web server, it proves that it's certificate matches the summary. What this means technically is that it gives you a Merkle inclusion proof that goes back to the root.

Show threadekrDec 15, 2023
The post has more detail, but the idea behind the proof is to show that there is a path from your certificate back to the root of the true, thus demonstrating that the tree was computed over your certificate.
Show threadekrDec 15, 2023
If all goes well, this gives you a closed loop that makes it impossible to surreptitiously issue a certificate. 1. The consensus system requires the CA to commit to all its certificates. 2. Clients verify that certificates have been committed to. 3. Site operators can then download all certificates, make sure they match the consensus, and then check for bogus certificates in their name. Mission accomplished.
Show threadekrDec 15, 2023

Of course, actually deploying this in practice turns out to be a lot harder than it sounds, which I'll get to in the next post.

https://educatedguesswork.org/posts/transparency-part-1/

A hard look at Certificate Transparency, Part I: Transparency Systems

Everyone loves Merkle trees