The success of Certificate Transparency (CT) relies on support from many different parties, including Certificate Authorities (CAs), browsers, brand owners, and independent companies running public CT logs.
The end goal of CT is twofold. First, CAs log all SSL/TLS Certificates in multiple, publicly available CT logs run by independent companies, allowing browsers to provide trust only to certificates that have been logged. Second, Domain owners and interested parties can monitor these CT logs to detect certificates that were either misissued by the CA or not actually authorized by the organization.
DigiCert supports additional certificate verification and believes that higher validation standards are necessary to ensure that each certificate issued has been authorized by the organization that owns the domain or brand. While CT only provides this confirmation after issuance is complete, we see CT logging as a key component in SSL/TLS certificate validation and as a compliment to the requester verification already required by the CAB Forum Baseline Requirements.
CT Support for Logs, Browsers, and CAs
Below is the status of CT support for logs, browsers, and CAs as of January 2015.
As of January 2015, Chrome includes three logs: two operated by Google and one operated by DigiCert. There are an additional three logs pending inclusion, operated by Google, Certly, and Izenpe. Please check this page for an updated list.
Inclusion of a log requires a high degree of availability, evidenced through a 90 day testing period. A log unable to meet these high requirements is untrusted. As such, DigiCert took extra precautions in establishing its log and ensuring it is robust enough to handle the volume of all EV certificates issued.
Chrome – Chrome started supporting CT in early 2014. They are now expanding this support as a requirement for all CAs issuing EV certificates. Starting in January, 2015 Chrome will require CAs to include CT proofs in all EV SSL Certificates for them to show the green bar.
For a one-year certificate, Google is requiring CT proofs from two independent logs. For a two-year certificate, the certificate must include CT proofs from at least three independent logs. To ease the transition for CAs, Google is temporarily (until July 2015) relaxing their independence requirement, permitting CAs to include two proofs from Google’s logs and one from DigiCert’s log. The expectation is that more CAs and interested parties will create logs during the interim to ensure there are a sufficient number of operational logs.
Firefox – In December, 2014 Mozilla announced their plans to add CT support to Firefox. Mozilla has not announced when support will be added, but they did note that Firefox will not enable CT checking by default.
By January 1, 2015 all major CAs will start including issued EV Certificates in CT log servers. Any CA issuing two-year EV certificates will need to use the two available Google logs and the DigiCert log to achieve compliance with the Google requirement. More CAs are expected to set up logs in the near future.
Background and History of Certificate Transparency
In 2011, a Dutch Certificate Authority (CA) called DigiNotar was hacked, permitting the attackers to create more than 500 fraudulent certificates issued from DigiNotar’s trusted root. The attackers used these certificates to impersonate numerous sites, including Google and Facebook, and conduct Man-in-the-Middle attacks on unsuspecting users.
This, among other high-profile incidents of mistakenly or maliciously issued certificates by non-DigiCert CAs, caused Google engineers to brainstorm new solutions. In their brainstorms, two engineers named Ben Laurie and Adam Langley came up with the idea of Certificate Transparency (CT) and began developing the framework as an open source project. In 2012, Laurie and Langley created a working draft outlining Certificate Transparency in conjunction with the IETF and in 2013 published an RFC.
In 2013, Google launched two public logs and announced their plans to eventually require CT for all EV SSL Certificates in Google Chrome.
Beginning in 2012, DigiCert has experimented with CT integration and provided feedback on proposed CT implementations. In September, 2013 DigiCert became the first CA to implement CT in their systems, and in October of the same year DigiCert became the first CA to offer customers the option of embedding CT proofs in SSL Certificates.
In September, 2014 DigiCert submitted a private log to Google for inclusion in Google Chrome. The DigiCert log was accepted on December 31, 2014. DigiCert was the first CA to create a CT log.