| ▲ | Lammy 3 days ago | |
I think their point is that a hypothetical connection-specific cert would make it difficult/impossible to compare your cert with anybody else to be able to find out that it happened. A CA could be backdoored but only “tapped” for some high-value target to diminish the chance of burning the access. | ||
| ▲ | woodruffw 3 days ago | parent | next [-] | |
> I think their point is that a hypothetical connection-specific cert would make it difficult/impossible to compare your cert with anybody else to be able to find out that it happened. This is already the case; CT doesn't rely on your specific served cert being comparable with others, but all certs for a domain being monitorable and auditable. (This does, however, point to a current problem: more companies should be monitoring CT than are currently.) | ||
| ▲ | roblabla 3 days ago | parent | prev | next [-] | |
Well, the cert can still be compared to what's in the CT Log for this purpose. | ||
| ▲ | sitkack 3 days ago | parent | prev [-] | |
Yes, precisely. | ||