Certificate Transparency

Bruce Morton

I mentioned in an earlier blog, about certification authority authorization (CAA), that one of the issues of having many public CAs is that any or all can issue SSL certificates for any domain. Certificate Transparency (CT) is another proposed method to resolve this issue. The draft CT specification states the following goals:

  • The goal is to make it impossible (or at least very difficult) for a certification authority to issue a certificate for a domain without it being visible to the owner of that domain.
  • A secondary goal is to protect users as much as possible from mis-issued certificates.

This is achieved by creating cryptographically assured, publicly auditable, append-only logs of certificates. Every certificate will be accompanied by a signature from one or more logs asserting that the certificate has been included in those logs. Browsers, auditors and monitors will collaborate to ensure that the log is honest. Domain owners and other interested parties can monitor the logs for mis-issued certificates.

The concept for CT is still being developed. If accepted by the industry, it will require logs to be developed and hosted, changes to the browsers, and issuance changes by the CAs. There may also be third-party monitors developed to check the logs for domain owners, advise of mis-issued certificates, and advise of ill-practicing logs.

Updated September 13, 2012: The CT specification has now been released as a draft IETF Network Working Group request for comment called Certificate Transparency.

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.


  1. Demetrius Stidd April 9, 2013 Reply

    Oh my goodness! a tremendous article dude. Thanks Nonetheless I’m experiencing problem with ur rss . Don’t know why Unable to subscribe to it. Is there anybody getting identical rss downside? Anyone who is aware of kindly respond. Thnkx

Add to the Conversation