The Certificate Transparency scheme proposed by Google engineers has taken a couple of significant steps forward recently, with the approval of the first independent certificate log and the passing of a deadline for all extended validation certificates to be CT-compliant or lose the green indicator in Google Chrome.
On Jan. 1, a CT log operated by DigiCert, a Utah certificate authority, became operational, making it the first non-Google CT log to be approved. The approval is an important step, as part of the CT scheme requires that two-year extended validation certificates have proofs from three separate logs. Google currently operates two logs of its own.
Certificate Transparency is designed to help solve some of the trust issue associated with the CA system. One feature of the framework is that in order to be compliant, CAs need to submit the certificates they issue to logs, all of which are publicly auditable and cryptographically assured. This can address the problem of fraudulent or mistakenly issued certificates, as all of the certificates are out in the open. This is especially important for EV certificates, which require more research by the CA before they’re issued and are valid for several years.
So for CAs who issue EV certificates, anything issued before Jan. 1 should be whitelisted, but certificates issued since Jan. 1 must be CT-compliant or they will lose the green approval indicator in Chrome.
“The log approval process is a long one. They test your log to make sure it’s up every second,” said Jeremy Rowley, vice president of business development at DigiCert. “You have to make a lot of adjustments to the code too. If you just use the open source code from Google, the log will collapse.”
For CAs that may not have been aware of the deadline or weren’t ready in time, the changes in Chrome could create some issues for sites.
“Yes, there could be some chaos. Not every CA is trusted by our log, so those that aren’t and try to issue two-year certs will have some problems,” Rowley said. “It might take some of them by surprise, some customers by surprise. Right now, you can still do one-year certs by hitting both Google logs. Most sites will be fine, but some secured by smaller CAs could have issues. But if the CA did their job right, you shouldn’t see any downtime of the green bar.”
Another deadline looms this summer, as well. After July 1, all proofs for EV certificates have to come from independent logs. These proofs aren’t required for normal, non-EV certificates, but that could come online in the future.
Mozilla also has committed to supporting CT in Firefox in future releases, but the feature won’t be enabled by default at first.
Image from Flickr photos of Yuri Samoilov.