I mentioned in an earlier blog, about certification authority authorization (CAA), that one of the issues of having many public CAs is that any or all can issue SSL certificates for any domain. Certificate Transparency (CT) is another proposed method to resolve this issue. The draft CT specification states the following goals:
- The goal is to make it impossible (or at least very difficult) for a certification authority to issue a certificate for a domain without it being visible to the owner of that domain.
- A secondary goal is to protect users as much as possible from mis-issued certificates.
This is achieved by creating cryptographically assured, publicly auditable, append-only logs of certificates. Every certificate will be accompanied by a signature from one or more logs asserting that the certificate has been included in those logs. Browsers, auditors and monitors will collaborate to ensure that the log is honest. Domain owners and other interested parties can monitor the logs for mis-issued certificates.
The concept for CT is still being developed. If accepted by the industry, it will require logs to be developed and hosted, changes to the browsers, and issuance changes by the CAs. There may also be third-party monitors developed to check the logs for domain owners, advise of mis-issued certificates, and advise of ill-practicing logs.
Updated September 13, 2012: The CT specification has now been released as a draft IETF Network Working Group request for comment called Certificate Transparency.