Certificate Transparency?

What is Certificate Transparency?

What is Certificate Transparency?

Certificate Transparency (CT) is an open framework of logs, monitors, and auditors created to help domain owners oversee digital certificates issued for their brands. CT logs help domain owners protect their brand by providing a way to find misissued or rogue certificates more easily. Certificate-issuing entities, like CAs, log certificates to comply with standards.

DigiCert supports CT as earlier detection of misissued certificates is important for server operators and users. As such, CT is a significant improvement for the industry and highlights CAs using good certificate issuance practices. We will always follow the highest standards for verifying identities and issuing high-assurance digital certificates.

What are the Benefits of Certificate Transparency?

Earlier Detection: CT helps detect unauthorized certificates in a few hours instead of days, weeks, or months. Domain owners can identify any certificates issued without express approval or outside their domain policy.

Faster Mitigation: Using CT helps users identify which certificates require revocation, allowing them to quickly communicate with the issuing CA and shortening the process for revoking a certificate.

Better Insight: CT gives public insight into the SSL/TLS system, giving anyone the ability to observe and verify the system’s health and integrity. Users can also see differences in issuance processes between CAs.

Stronger Security: By providing transparency into the certificate issuance process and informing users about issued certificates, CT strengthens the chain of trust and makes online browsing safer for all everyone.

What is the Goal of Certificate Transparency?

The success of Certificate Transparency (CT) relies on support from many different parties, including Certificate Authorities (CAs), browsers, brand owners, and independent companies running public CT logs.

The end goal of CT is twofold. First, CAs log all TLS/SSL Certificates in multiple, publicly available CT logs run by independent companies, allowing browsers to provide trust only to certificates that have been logged. Second, domain owners and interested parties can monitor these CT logs to detect certificates that were either misissued by the CA or not actually authorized by the organization.

DigiCert supports additional certificate verification and believes that higher validation standards are necessary to ensure that each certificate issued has been authorized by the organization that owns the domain or brand. While CT only provides this confirmation after issuance is complete, we see CT logging as a key component in TLS/SSL certificate validation and as a compliment to the requester verification already required by the C/AB Forum Baseline Requirements.