Three weeks after the first non-Google public log for Certificate Transparency was launched by DigiCert, officials at Venafi said that the company plans to debut its own public CT log.
On Jan. 1 Google approved the use of DigiCert’s log, the first CT log that is independent and not operated by Google. As part of the CT framework specification, certificate authorities that want to issue extended validation certificates now must enter those certificates in three separate logs. If those EV certs don’t meet the specification and aren’t in three logs, Google Chrome will not display the green indicator in the address bar.
The CT scheme is the brainchild of engineers at Google and is meant to help fix some of the trust problems that exist in the CA system. The scheme includes the concept of public logs of certificates, and the logs are cryptographically assured and append-only so that they can’t be tampered with. The scheme also requires that, as of July 1, all of the certificate proofs come from three independent logs.
The establishment of the Venafi certificate log will help make that process easier.
“Therefore, Venafi will be launching a public CT log that will satisfy the much needed Google CT log operator requirements of three public CT log servers. This public CT log can be used by any publicly-trusted CA and site operator to publish issued certificates. Furthermore, any organization that acts as a log monitor is free to use the Venafi public CT log to support their efforts,” Walter Goulet of Venafi, said in a blog post.
Right now, Google operates two CT logs of its own and DigiCert runs another. There are other logs that also are pending inclusion in the framework, one from Izenpe, a Spanish CA, and another from Certly in the United States.
One of the main goals of the CT scheme is to help guard against the issuance of fraudulent or duplicate certificates. Attackers have used the tactic of stealing certificates or finding ways to issue valid certs for high-value domains for several years and to great effect. Hackers have compromised several CAs in recent years and used that access to issue certificates for domains belonging to Google, Yahoo and others and the attackers behind the Flame malware famously created a hash collision in order to create a valid Microsoft certificate to sign the malware.