That would require them to issue a separate certificate. Certificate Transparency provides significant deterrence against that.
They can either log it into Certificate Transparency (and include the SCT, the "receipt" for logging it, in the cert), or not do that.
If they log it, the server operator can see (in the public CT logs) that a certificate was issued for his domain by someone else, and raise hell.
If they don't log it, the certificate won't have an SCT. That means that software that enforces CT can treat the certificate as invalid, and if someone saw the cert on the wire, it would immediately appear suspicious since all Let's Encrypt certs are supposed to have an SCT.
They could also get an evil CT log to issue a SCT without logging it, but that would generate irrefutable cryptographic proof of malfeasance of the CT log.
They could also get an evil CT log to issue a SCT without logging it…
If a SCT is issued, it has to be logged within a certain amout of time; 3rd party auditors check for this. [1]:
An auditor is a third party that keeps log operators honest. They query logs from various vantage points on the internet and gossip with each other about what order certificates are in. They’re like the paparazzi of the PKI. They also keep track of whether an SCT has been honored or not by measuring the time it took between the SCT’s timestamp and the corresponding certificate showing up in the log.
And only certain logs are trusted anyway [2]; a CT log that doesn't meet certain requirements wouldn't be trusted to begin with. And if a trusted CT log turned evil, it would quickly be noticed.
They can either log it into Certificate Transparency (and include the SCT, the "receipt" for logging it, in the cert), or not do that.
If they log it, the server operator can see (in the public CT logs) that a certificate was issued for his domain by someone else, and raise hell.
If they don't log it, the certificate won't have an SCT. That means that software that enforces CT can treat the certificate as invalid, and if someone saw the cert on the wire, it would immediately appear suspicious since all Let's Encrypt certs are supposed to have an SCT.
They could also get an evil CT log to issue a SCT without logging it, but that would generate irrefutable cryptographic proof of malfeasance of the CT log.
reply