A recent Google announcement says all publicly trusted SSL/TLS certificates issued in October 2017 or later will be expected to comply with Chrome’s Certificate Transparency (CT) policy in order to be trusted by that browser.
Since January 2015, Chrome has required Extended Validation (EV) certificates to comply with CT, but now with this policy change, it will also apply to Domain Validated (DV) and Organization Validated (OV) certificates.
What Does This Mean for DigiCert Customers?
Fortunately, for DigiCert customers, our systems have been and remain ready for this new policy. Beyond logging your EV certificates to CT, many of you have taken advantage of our CT implementation to test your systems with OV certificates.
For those of you who haven’t done this yet, there is plenty time of time before the 2017 compliance deadline to conduct tests. To start, opt-in for CT within your administrator account. For those wanting to turn on CT by default ahead of the deadline, contact our support team by email at support(at)digicert(dot)com, live chat, or phone (801) 701-9600.
DigiCert at the Forefront of CT Development
DigiCert participated in early pilots with Google during 2013 and implemented full CT capabilities in late 2013 that allowed our customers to opt-in at that time. To further our commitment, we began logging all EV certificates ahead of the January 2015 deadline, and we became the first approved, non-Google entity to operate a CT log beginning on January 1, 2015.
For more than two years, DigiCert has advocated for Chrome to make CT a mandatory requirement for all certificates because we believe it enhances the SSL/TLS ecosystem, providing early detection of misissued certificates. The transparency of CT improves the integrity of Certificate Authority (CA) practices and provides additional protections for domain holders.
While this is a positive step forward for the industry, we feel that there is still important work to do before the October 2017 deadline in order to assure CT meets the interests of the security community and domain holders.
For example, name redaction is an important matter to us and the community at-large for the following reasons:
Security: Some companies use DNS as a network map. Absent name redaction, some companies may publicly end up disclosing more corporate structure information than intended.
Propriety: When deploying pre-launch websites for projects, companies often want to use a trusted certificate, but for obvious reasons, do not want to give away any secrets that could hurt their market position.
Privacy: Certificates may include personal information about a company or their staff. Redacting this information would provide important protection.
DigiCert remains committed to advancing Internet security standards and practices that protect online trustworthiness. In doing so, we feel it important to balance the legitimate needs of organizations in protecting their trade secrets and maintaining business advantages.