W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2019

exposing certificate information (current + upcoming)

From: Stefan Eissing <stefan.eissing@greenbytes.de>
Date: Fri, 10 May 2019 12:46:53 +0200
Message-Id: <BA35C55E-E096-49DA-BBC5-D5A34756FC67@greenbytes.de>
To: HTTP Working Group <ietf-http-wg@w3.org>
Christophe Brocas (@cbrocas), organizer of Pass-the-Salt security conference, tweeted 
about checking HTTP server certificates against CT logs to detect very early if someone
successfully highjacked one of your domains.

A renewed certificate is often not immediately used on a server but activated on the
next restart which can be several hours away. To check if a certificate mentioned in a
CT log, one would need to obtain information about upcoming certificates as well.

One approach is to expose this on a /.well-known resource of a domain. A JSON 
representation of current and upcoming certificate information. CN, serial,
fingerprint, alt-names, begins at, expires on. Maybe the hole certificate?

I would be interested in your opinion if this information can be exposed publicly or
should be considered sensitive? For the current cert, the client
obviously already has this at the connection, but is there any risk of exposing
an upcoming cert?

Feedback appreciated,

Stefan
Received on Friday, 10 May 2019 10:47:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:15:34 UTC