International Association
for Cryptologic Research

The ``certificate authority\'\' model for authenticating public keys of websites has been attacked in recent years, and several proposals have been made to reinforce it. We develop and extend ``certificate transparency\'\', a proposal in this direction, so that it efficiently handles certificate revocation. We show how this extension can be used to build a secure end-to-end email or messaging system using PKI with no requirement to trust certificate authorities, or to rely on complex peer-to-peer key-signing arrangements such as PGP. We believe this finally makes end-to-end encrypted email as usable as encrypted web browsing is today, addressing the concerns of a classic paper explaining the difficulties users face in encrypting emails (``Why Johnny can\'t encrypt\'\', 1999). Underlying these ideas is a new attacker model appropriate for cloud computing, which we call ``malicious-but-cautious\'\'.