Certificate Transparency Birds of a Feather

Bruce Morton

IETF 85 held a Birds of a Feather (BoF) meeting on Certificate Transparency (CT).

CT is a method for domain owners to determine if a certificate has been issued for their domain. It will also allow an end user to distrust the certificate, if it is not logged.

A quick aside about why the concern for fraudulent certificates is going up and up. The Web security model has always been focused around finances. The financial concerns are mostly hedged by the banks who limit the loss to credit card subscribers. Then the social Internet (e.g., social media, email) came along and people started using the Internet for communication with friends — sometimes sending sensitive communication or information. The knowledge of some sensitive communication by third parties could result in a threat to their lives. The risk has been dialed up a few notches.

The big issue with certificate management is there seems to be an unlimited number of CAs that can issue a certificate for any domain. A bad certificate could be used in a man-in-the-middle attack to compromise people’s communications, invade people’s privacy and even cost lives. This was the concern in Iran after the DigiNotar breach.

CT is still very much in the draft phase. Adam Langley of Google, the main presenter, described the concept about how all certificates would have to be publicly disclosed and logged in a CT log. The solution would be accomplished without changing server software and not relying on third parties who would need uptime and the ability to be reached.

Eventually, it is desired that the browsers will be changed to require all publicly-trusted certificates to be logged. If not logged, then an error would occur. There are two CAs currently testing CT with Google.

The certificates would be logged by the CA at time of issuance with information in the signed part of the certificate. Certificates not logged this way could be logged out of band by the Subscriber or the CA.

Once there are logs in place, there would be requirements for monitors. A domain owner could review the logs for certificates issued to their domains. A third party could also set up a service that would email a domain owner whenever a certificate was registered with one of their domains.

There was much concern by the BoF regarding how CT would work with DANE-compliant certificates. It was stated that if you want your certificate to be treated as publicly-trusted, then it would need to be logged in some way. There appears to be much work to do here to make sure that all parties are happy.

It took two rounds of humming, but the BoF determined that CT should proceed along without having a working group. To support development, visit the CT website.

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.


Add to the Conversation