Certificate Transparency


Certificate Transparency is an Internet security standard and open source framework for monitoring and auditing digital certificates. The standard creates a system of public logs that seek to eventually record all certificates issued by publicly trusted certificate authorities, allowing efficient identification of mistakenly or maliciously issued certificates.

Background

In 2011, a reseller of the certificate authority Comodo was attacked and the certificate authority DigiNotar was compromised, calling attention to existing flaws in the certificate authority ecosystem and accelerating work on various mechanisms to prevent or monitor unauthorized certificate issuance. Ben Laurie, Adam Langley and Emilia Kasper began work on an open source framework to combat these issues the same year. They submitted the first draft of the standard as an IETF Internet Draft in 2012 under the code-name "Sunlight".

Advantages

One of the problems with digital certificate management is that fraudulent certificates take a long time to be spotted, reported and revoked by the browser vendors. Certificate Transparency would help by making it impossible for a certificate to be issued for a domain without the domain owner knowing.
Certificate Transparency does not require side channel communication to validate certificates as do some competing technologies such as Online Certificate Status Protocol and Convergence. Certificate Transparency also operates without the need to trust a third party.

Certificate Transparency logs

Certificate Transparency depends on verifiable Certificate Transparency logs. A log appends new certificates to an ever-growing Merkle hash tree.
To be seen as behaving correctly, a log must:
A log may accept certificates that are not yet fully valid and certificates that have expired.

Certificate Transparency monitors

Monitors act as clients to the log servers. Monitors check logs to make sure they are behaving correctly. An inconsistency is used to prove that a log has not behaved correctly, and the signatures on the log's data structure prevent the log from denying that misbehavior.

Certificate Transparency auditors

Auditors also act as clients to the log servers. Certificate Transparency auditors use partial information about a log to verify the log against other partial information they have.

Certificate authority implementation

Google launched its first certificate transparency log in March 2013. In September 2013, DigiCert became the first certificate authority to implement Certificate Transparency.
Google Chrome began requiring Certificate Transparency for newly issued Extended Validation Certificates in 2015. It began requiring Certificate Transparency for all certificates newly issued by Symantec from June 1, 2016, after they were found to have issued 187 certificates without the domain owners' knowledge. Since April 2018, this requirement has been extended to all certificates.
Cloudflare announced its own CT named Nimbus on March 23, 2018.
EJBCA, a Certificate Authority software implementation added support for submitting certificates to CT logs, and embedding returned SCTs in issued certificates in .