What is the status of certificate transparency (CT) support for logs, browsers and CAs?
Logs
Beginning Feb. 2018 DigiCert started submitting all newly issued and publicly trusted TLS/SSL certificates to Certificate Transparency (CT) logs by default. We made this change ahead of Google’s industry-wide requirement that went into effect on April 2018 in the interest of improving our customer’s security and encouraging adoption. Before 2018, logging was only required for EV certificates.
DigiCert operates its own CT log that is also used by Google. Inclusion of a log requires a high degree of availability, evidenced through a 90-day testing period. A log unable to meet these high requirements is untrusted. As such, DigiCert took extra precautions in establishing its log and ensuring it is robust enough to handle the volume of all certificates issued.
Browsers
Chrome – Chrome started supporting CT in early 2014. They are now expanding this support as a requirement for all CAs issuing certificates.
For a one-year certificate, Google required CT proofs from two independent logs. For a two-year certificate issued before one-year certificates became the standard in 2020, the certificate was required to include CT proofs from at least three independent logs. To ease the transition for CAs, Google temporarily relaxed their independence requirement, permitting CAs to include two proofs from Google’s logs and one from DigiCert’s log. The expectation was that more CAs and interested parties would create logs during the interim to ensure a sufficient number of operational logs.
Firefox– Firefox does not currently check or require the use of CT logs for sites that users visit.
Safari– Apple requires a varying number of SCTs in order for Safari and other servers to trust server certificates.
Certificate authorities:
According to RFC 9162 of the Internet Engineering Task Force (IETF), it is expected that public CAs will contribute all their newly issued certificates to one or more logs; however, certificate holders can also contribute their own certificate chains, as can third parties.
By Jan. 2015 all major CAs started including issued EV Certificates in CT log servers. Any CA issuing EV certificates were required to use the two available Google logs and the DigiCert log to achieve compliance with the Google requirement.
How does DigiCert meet certificate transparency compliance?
CT strengthens the TLS/SSL certificate system by creating publicly auditable records of certificate issuance. Since 2015, Google has required CAs to log EV certificates to public CT logs. In April 2018, Google began requiring CAs to also log OV and DV certificates to public CT logs.
DigiCert began publishing all newly issued public TLS/SSL certificates to public CT logs Feb. 1, 2018. This change did not affect any OV or DV certificates issued before Feb. 1, 2018.
Browsers with Certificate Transparency policies:
As of April 2018, Google required CAs to log all TLS/SSL certificates (EV, OV, and DV).
As of October 15, 2018, Apple required CAs to log all TLS/SSL certificates (EV, OV, and DV).
What is the background and history of certificate transparency?
In 2011, a Dutch Certificate Authority (CA) called DigiNotar was hacked, permitting the attackers to create more than 500 fraudulent certificates issued from DigiNotar’s trusted root. The attackers used these certificates to impersonate numerous sites, including Google and Facebook, and conduct Man-in-the-Middle attacks on unsuspecting users.
This, among other high-profile incidents of mistakenly or maliciously issued certificates by non-DigiCert CAs, caused Google engineers to brainstorm new solutions. In their brainstorms, two engineers named Ben Laurie and Adam Langley came up with the idea of Certificate Transparency (CT) and began developing the framework as an open source project. In 2012, Laurie and Langley created a working draft outlining Certificate Transparency in conjunction with the IETF and in 2013 published an RFC.
In 2013, Google launched two public logs and announced their plans to eventually require CT for all EV SSL Certificates in Google Chrome.
Beginning in 2012, DigiCert has experimented with CT integration and provided feedback on proposed CT implementations. In September, 2013 DigiCert became the first CA to implement CT in their systems, and in October of the same year DigiCert became the first CA to offer customers the option of embedding CT proofs in SSL Certificates.
In September, 2014 DigiCert submitted a private log to Google for inclusion in Google Chrome. The DigiCert log was accepted on December 31, 2014. DigiCert was the first CA to create a CT log.