Certificate Transparency (CT) is an

Internet security Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules ...

standard Standard may refer to: Symbols * Colours, standards and guidons, kinds of military signs * Standard (emblem), a type of a large symbol or emblem used for identification Norms, conventions or requirements * Standard (metrology), an object th ...

for monitoring and auditing the issuance of

digital certificates Digital usually refers to something using discrete digits, often binary digits. Technology and computing Hardware *Digital electronics, electronic circuits which operate using digital signals **Digital camera, which captures and stores digital i ...

. The standard creates a system of public logs that seek to eventually record all certificates issued by publicly trusted certificate authorities, allowing efficient identification of mistakenly or maliciously issued certificates. Version 2.0 of the Certificate Transparency mechanism, the latest, is described in the experimental , which obsoletes the earlier version 1.0 described in .

Technical overview

The certificate transparency system consists of a system of append-only certificate logs. Logs are operated by many parties, including browser vendors and certificate authorities. Certificates that support certificate transparency must include one or more ''signed certificate timestamps'' (SCTs), which is a promise from a log operator to include the certificate in their log within a ''maximum merge delay'' (MMD). At some point within the maximum merge delay, the log operator adds the certificate to their log. Each entry in a log references the hash of a previous one, forming a

Merkle tree In cryptography and computer science, a hash tree or Merkle tree is a tree in which every "leaf" (node) is labelled with the cryptographic hash of a data block, and every node that is not a leaf (called a ''branch'', ''inner node'', or ''inode'') ...

. The ''signed tree head'' (STH) references the current root of the Merkle tree.

Mandatory certificate transparency

Some browsers require TLS certificates to have proof of being logged with certificate transparency, either through SCTs embedded into the certificate, an extension during the TLS handshake, or through

OCSP The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 6960 and is on the Internet standards track. It was created as an alternative t ...

Log sharding

Due to the large quantities of certificates issued with the Web PKI, certificate transparency logs can grow to contain many certificates. This large quantity of certificates can cause strain on logs. Temporal sharding is a method to reduce the strain on logs by sharding a log into multiple logs, and having each shard only accept precertificates/certificates with an expiration date in a particular time period (usually a calendar year).

Cloudflare Cloudflare, Inc. is an American content delivery network and DDoS mitigation company, founded in 2009. It primarily acts as a reverse proxy between a website's visitor and the Cloudflare customer's hosting provider. Its headquarters are in Sa ...

's Nimbus series of logs was the first to use temporal sharding.

Background

Advantages

One of the problems with digital certificate management is that fraudulent certificates take a long time to be spotted, reported and revoked. An issued certificate not logged using Certificate Transparency may never be spotted at all. Certificate Transparency makes it possible for the domain owner (and anyone interested) to get in knowledge of any certificate issued for a domain.

Certificate Transparency logs

Certificate Transparency depends on verifiable Certificate Transparency logs. A log appends new certificates to an ever-growing Merkle hash tree. To be seen as behaving correctly, a log must: * Verify that each submitted certificate or precertificate has a valid signature chain leading back to a trusted root certificate authority certificate. * Refuse to publish certificates without this valid signature chain. * Store the entire verification chain from the newly accepted certificate back to the root certificate. * Present this chain for auditing upon request. A log may accept certificates that are not yet fully valid and certificates that have expired.

Certificate Transparency monitors

Monitors act as clients to the log servers. Monitors check logs to make sure they are behaving correctly. An inconsistency is used to prove that a log has not behaved correctly, and the signatures on the log's data structure (the Merkle tree) prevent the log from denying that misbehavior.

Certificate Transparency auditors

Auditors also act as clients to the log servers. Certificate Transparency auditors use partial information about a log to verify the log against other partial information they have.

Certificate Transparency log programs

Apple and Google have separate log programs with distinct policies and lists of trusted logs.

Root stores of Certificate Transparency logs

Certificate Transparency logs maintain their own root stores and only accept certificates that chain back to the trusted roots. A number of misbehaving logs have been publishing inconsistent root stores in the past.

History

Signed Certificate Transparency on Firefox 89 screenshot

In 2011, a reseller of the certificate authority Comodo was attacked and the certificate authority

DigiNotar DigiNotar was a Dutch certificate authority owned by VASCO Data Security International, Inc. On September 3, 2011, after it had become clear that a security breach had resulted in the fraudulent issuing of certificates, the Dutch government to ...

was compromised, demonstrating existing flaws in the certificate authority ecosystem and prompting work on various mechanisms to prevent or monitor unauthorized certificate issuance.

Google Google LLC () is an American Multinational corporation, multinational technology company focusing on Search Engine, search engine technology, online advertising, cloud computing, software, computer software, quantum computing, e-commerce, ar ...

employees

Ben Laurie Ben Laurie is an English software engineer. He is currently the Director of Security at The Bunker Secure Hosting. Laurie wrote Apache-SSL, the basis of most SSL-enabled versions of the Apache HTTP Server. He developed the MUD ''Gods'', which was ...

, Adam Langley and Emilia Kasper began work on an open source framework for detecting mis-issued certificates the same year. In 2012, they submitted the first draft of the standard to

IETF The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...

under the code-name "Sunlight". In March 2013, Google launched its first certificate transparency log. In September 2013,

DigiCert DigiCert, Inc. is an American digital security company headquartered in Lehi, Utah, with offices in Australia, Ireland, Japan, India, France, South Africa, Switzerland and United Kingdom. As a certificate authority (CA) and trusted third party, ...

became the first

certificate authority In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. Thi ...

to implement Certificate Transparency. In 2015, Google Chrome began requiring Certificate Transparency for newly issued

Extended Validation Certificate An Extended Validation Certificate (EV) is a certificate conforming to X.509 that proves the legal entity of the owner and is signed by a certificate authority key that can issue EV certificates. EV certificates can be used in the same manner as ...

s. It began requiring Certificate Transparency for all certificates newly issued by Symantec from June 1, 2016, after they were found to have issued 187 certificates without the domain owners' knowledge. Since April 2018, this requirement has been extended to all certificates. On March 23, 2018,

announced its own CT log named ''Nimbus''. In March 2018, "Certificate Transparency Version 2.0" draft was published. In May, 2019,

Let's Encrypt Let's Encrypt is a non-profit certificate authority run by Internet Security Research Group (ISRG) that provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge. It is the world's largest certificate authority, used ...

launched its own CT log called Oak. Since February 2020, it is included in approved log lists and is usable by all publicly-trusted certificate authorities. In December 2021, IETF RFC 9162 “Certificate Transparency Version 2.0” was published. CTv2.0 revises and obsoletes the CTv1.0 protocol, drawing insights from CTv1.0's deployments and feed-backs from the community. Version 2.0 includes major changes to the required structure of the log certificate, as well as support for

Ed25519 In public-key cryptography, Edwards-curve Digital Signature Algorithm (EdDSA) is a digital signature scheme using a variant of Schnorr signature based on twisted Edwards curves. It is designed to be faster than existing digital signature scheme ...

as a signature algorithm of SCTs and support for including certificate inclusion proofs along the SCT. In February 2022, Google published an update to their CT policy, which removes the requirement for certificates to include a SCT from their own CT log service, matching all the requirements for certificates to those previously published by Apple.

Signature Algorithms

In Certificate Transparency Version 1.0, a log must use NIST P-256 curve, or RSA signatures (using a key of at least 2048 bits).^{:section 2.1.4} In the updated Certificate Transparency Version 2.0 standard, the allowed algorithms are NIST P-256, Deterministic

ECDSA In cryptography, the Elliptic Curve Digital Signature Algorithm (ECDSA) offers a variant of the Digital Signature Algorithm (DSA) which uses elliptic-curve cryptography. Key and signature-size As with elliptic-curve cryptography in general, the b ...

, or

Tools for inspecting CT logs

crt.sh
by

Sectigo Xcitium, formerly known as Comodo Security Solutions, Inc., is a cybersecurity company headquartered in Bloomfield, New Jersey in the United States. History The company was founded in 1998 in the United Kingdom by Melih Abdulhayoğlu. The compa ...

Censys search

Cert Spotter by sslmate

certstream.calidog.io

ct.cloudflare.com
- Merkle Town by

Meta
Certificate Transparency Monitoring by Meta
Certificate Transparency Root Explorer

References

External links

* * Certificate Transparency - Internet Engineering Task Force * Certificate Transparency Version 2.0 - Internet Engineering Task Force
crt.sh
a Certificate Transparency Log search engine
Google Certificate Transparency Report

Certificate Transparency Monitoring by Meta

CT test on badssl.com
{{SSL/TLS Public key infrastructure Internet security Transport Layer Security