Hello, welcome to the Thursday, August 4th, 2016 edition of the Sandtonet Storm Center's Stormcast.

My name is Johannes Ulrich and I'm recording from Boston Message.

I've talked in the past in this podcast and in our diaries a lot about certificate transparency.

Certificate transparency is a standard that's heavily supported

by Google that essentially requires that certificate authorities will publish logs of all the

certificates that they are issuing. The reason this is proposed is that in the past it has happened that

criminals were able to convince certificate authorities in issuing them legitimate certificates.

And then of course in hindsight the entire certificate revocation process is somewhat unreliable.

Now with certificate transparency, you will be able to search these certificate transparency

logs in order to figure out if someone did request a certificate for any domain name that you are responsible for.

Now the problem of the system is that the published data does include all host names that the certificate

verifies. So by publishing the certificate transparency logs and making them searchable,

I can now search for companies somewhat secretive host names that they may not wish to be publicly

known, but they did request a certificate for that host name from a public certificate authority.

At this point, there is no great work around here.

Of course, you can run your own internal certificate authority for these names,

but then again, everybody using the particular site has to trust it,

which of course can be a little bit tricky when you're dealing here

with business partners and not just internal users. In the future, an update of the

certificate transparency standard will allow you to publish a somewhat priviated form of the

host name, just a question mark. Dot your domain name in order to hide the full host name that is verified by this certificate.

But this standard has not been finalized yet.

...