Key Transparency

There's been a lot of discussion lately about how to know if a vendors public key is correct, and how to ensure that it hasn't been manipulated. It seems there are people trying to solve a tangentially related issue - verifying that certificate authorities are not minting keys for domains they're not authorized to.

Throwing this out here, as I did not see this discussed originally.

https://www.certificate-transparency.org/

https://github.com/google/keytransparency/

https://security.googleblog.com/2017/01/security-through-transparency.html

I lack the time currently to do this, but it seems feasible to reuse their ideas to help ensure vendor keys are accurate.


Comments


[2 Points] None:

[deleted]