- From: Stefan Eissing <stefan.eissing@greenbytes.de>
- Date: Fri, 10 May 2019 12:46:53 +0200
- To: HTTP Working Group <ietf-http-wg@w3.org>
Christophe Brocas (@cbrocas), organizer of Pass-the-Salt security conference, tweeted about checking HTTP server certificates against CT logs to detect very early if someone successfully highjacked one of your domains. A renewed certificate is often not immediately used on a server but activated on the next restart which can be several hours away. To check if a certificate mentioned in a CT log, one would need to obtain information about upcoming certificates as well. One approach is to expose this on a /.well-known resource of a domain. A JSON representation of current and upcoming certificate information. CN, serial, fingerprint, alt-names, begins at, expires on. Maybe the hole certificate? I would be interested in your opinion if this information can be exposed publicly or should be considered sensitive? For the current cert, the client obviously already has this at the connection, but is there any risk of exposing an upcoming cert? Feedback appreciated, Stefan
Received on Friday, 10 May 2019 10:47:18 UTC