GlobalSign Blog

19 Nov 2014

What is Certificate Transparency?

You may have heard about Certificate Transparency(CT) and Google Chrome’s Early 2015 deadline for EV SSL Certificates. This is the first of a series of articles, and this one describes what CT is and why it is important.

The CT project is an open framework for monitoring and auditing SSL Certificate issuance. It makes CA certificate issuance open to auditing and monitoring, which can be used to detect mis-issuance. Transparency is achieved by having CAs post certificates to publicly accessible Qualified CT Logs. Customers can create log monitors which look for certificates issued to their domains and detect mis-issuance in minutes.

CT logs are append-only logs and while anyone can post certificates to the logs, it will be primarily used by CAs to post “Pre-Certificates”.  When Pre-Certificates are posted to the logs, the log operator returns a Signed Certificate Timestamp which proves the certificate was logged. This SCT can be used by browsers to validate that the certificate was logged. SCTs can be distributed to the browser in a variety of mechanisms. We will discuss this in our future blog that gets more technical.

The Certificate Transparency Project describes the 3 main goals:

  • To make it impossible (or at least very difficult) for a CA to issue an SSL Certificate for a domain without the certificate being visible to the owner of that domain.
  • To provide an open auditing and monitoring system that lets any domain owner or CA determine whether certificates have been mistakenly or maliciously issued.
  • To protect users from being duped by certificates that were mistakenly or maliciously issued.

GlobalSign and other CAs are now preparing for the upcoming changes that will affect how EV SSL Certificates are displayed.

Look out for more blogs from us regarding Certificate Transparency including a Technical Deep Dive of CT and what CT means for EV SSL Certificates!

Share this Post