This article is rated C-class on Wikipedia's
content assessment scale. It is of interest to the following WikiProjects: | ||||||||||||||||||||||||||||||||||||||||||||||||
|
https://groups.google.com/a/chromium.org/forum/#!msg/ct-policy/wHILiYf31DE/iMFmpMEkAQAJ
O'Brien, Devon (7 February 2018). "Certificate Transparency Enforcement in Google Chrome". Google Groups. Retrieved 18 December 2019. — Preceding unsigned comment added by Zabuch ( talk • contribs) 11:34, 20 December 2021 (UTC)
The link is available. Shoeper ( talk) 00:40, 24 February 2022 (UTC)
Hello fellow Wikipedians,
I have just added archive links to one external link on
Certificate Transparency. Please take a moment to review
my edit. If necessary, add {{
cbignore}}
after the link to keep me from modifying it. Alternatively, you can add {{
nobots|deny=InternetArchiveBot}}
to keep me off the page altogether. I made the following changes:
When you have finished reviewing my changes, please set the checked parameter below to true to let others know.
An editor has reviewed this edit and fixed any errors that were found.
Cheers.— cyberbot II Talk to my owner:Online 17:22, 31 December 2015 (UTC)
Not sure whether the Expect-CT
header is in scope, but
HTTP Public Key Pinning has a link named "Expect-CT" to this article. Readers may get confused when clicking that link only to see nothing about Expect-CT. --
Franklin Yu (
talk)
18:52, 31 October 2018 (UTC)
I think it would be useful. Shoeper ( talk) 00:42, 24 February 2022 (UTC)
The Advantages section says that "Certificate Transparency does not require side channel communication to validate certificates as do some competing technologies such as Online Certificate Status Protocol (OCSP)".
CT is a "who watches the watchers" mechanism to monitor certs issued by CAs and notice fraudulent ones faster (so they can then be revoked). OCSP is a mechanism for a CA to tell a browser when a certificate is revoked. These are not competing, in fact they are complementary.
And yes, I'm aware that in their 2017 deprication notice / talk for HPKP, Google urged people to migrate to CT instead. While they both increase trust in certificates and reduce fraud in general, I don't really agree that they solve the same technical problem :P
I agree. Its also a little bit misleading as CT does not provide any means of revocation, it only helps a site owner to identify illigitemit certificates. Shoeper ( talk) 00:48, 24 February 2022 (UTC)
The article reads: Certificate Transparency does not require side channel communication to validate certificates.
I doubt the validity of this unsourced statement:
If a CA was silently compromised and a fraudulent SSL certificate created and used by a
hacker in the middle of the communication, that fact can only become known to the client browser if it checks the
CRL (which would yield no revocation yet because the CA compromise is still unnoticed) and the CT log (which would miss the expected hash and cause the client browser to reject the fraudulent certificate). This means the client browser must contact the CRL server and the CT log server, which makes two side channel communications.
Am I in error with this argument or is the cited statement really wrong ? -- Juergen
94.134.41.237 (
talk)
16:03, 8 October 2020 (UTC)
You are right. Shoeper ( talk) 00:49, 24 February 2022 (UTC)
Hello @ WikiLinuz:, you recently reverted one of my edits without any explanation. In my original edit I replaced the following text:
and instead wrote
My reasoning was:
Could you please clarify why you reverted the edit? Was it a mistake? Can I change it back? Anton.bersh ( talk) 20:42, 14 February 2022 (UTC)
This article is rated C-class on Wikipedia's
content assessment scale. It is of interest to the following WikiProjects: | ||||||||||||||||||||||||||||||||||||||||||||||||
|
https://groups.google.com/a/chromium.org/forum/#!msg/ct-policy/wHILiYf31DE/iMFmpMEkAQAJ
O'Brien, Devon (7 February 2018). "Certificate Transparency Enforcement in Google Chrome". Google Groups. Retrieved 18 December 2019. — Preceding unsigned comment added by Zabuch ( talk • contribs) 11:34, 20 December 2021 (UTC)
The link is available. Shoeper ( talk) 00:40, 24 February 2022 (UTC)
Hello fellow Wikipedians,
I have just added archive links to one external link on
Certificate Transparency. Please take a moment to review
my edit. If necessary, add {{
cbignore}}
after the link to keep me from modifying it. Alternatively, you can add {{
nobots|deny=InternetArchiveBot}}
to keep me off the page altogether. I made the following changes:
When you have finished reviewing my changes, please set the checked parameter below to true to let others know.
An editor has reviewed this edit and fixed any errors that were found.
Cheers.— cyberbot II Talk to my owner:Online 17:22, 31 December 2015 (UTC)
Not sure whether the Expect-CT
header is in scope, but
HTTP Public Key Pinning has a link named "Expect-CT" to this article. Readers may get confused when clicking that link only to see nothing about Expect-CT. --
Franklin Yu (
talk)
18:52, 31 October 2018 (UTC)
I think it would be useful. Shoeper ( talk) 00:42, 24 February 2022 (UTC)
The Advantages section says that "Certificate Transparency does not require side channel communication to validate certificates as do some competing technologies such as Online Certificate Status Protocol (OCSP)".
CT is a "who watches the watchers" mechanism to monitor certs issued by CAs and notice fraudulent ones faster (so they can then be revoked). OCSP is a mechanism for a CA to tell a browser when a certificate is revoked. These are not competing, in fact they are complementary.
And yes, I'm aware that in their 2017 deprication notice / talk for HPKP, Google urged people to migrate to CT instead. While they both increase trust in certificates and reduce fraud in general, I don't really agree that they solve the same technical problem :P
I agree. Its also a little bit misleading as CT does not provide any means of revocation, it only helps a site owner to identify illigitemit certificates. Shoeper ( talk) 00:48, 24 February 2022 (UTC)
The article reads: Certificate Transparency does not require side channel communication to validate certificates.
I doubt the validity of this unsourced statement:
If a CA was silently compromised and a fraudulent SSL certificate created and used by a
hacker in the middle of the communication, that fact can only become known to the client browser if it checks the
CRL (which would yield no revocation yet because the CA compromise is still unnoticed) and the CT log (which would miss the expected hash and cause the client browser to reject the fraudulent certificate). This means the client browser must contact the CRL server and the CT log server, which makes two side channel communications.
Am I in error with this argument or is the cited statement really wrong ? -- Juergen
94.134.41.237 (
talk)
16:03, 8 October 2020 (UTC)
You are right. Shoeper ( talk) 00:49, 24 February 2022 (UTC)
Hello @ WikiLinuz:, you recently reverted one of my edits without any explanation. In my original edit I replaced the following text:
and instead wrote
My reasoning was:
Could you please clarify why you reverted the edit? Was it a mistake? Can I change it back? Anton.bersh ( talk) 20:42, 14 February 2022 (UTC)