Let’s Encrypt’s new CT log will be a major benefit to the entire CA ecosystem.
Earlier today Sectigo, the world’s largest Certificate Authority, announced that it would be sponsoring Let’s Encrypt’s new Certificate Transparency log, Oak, in its first year.
The sponsorship covers a large portion of the funding required to run such a log and ensures that CAs will have more options for logging certificates in the future.
There’s a little bit to unpack here, and some might be wondering why the world’s largest commercial CA would foot most of the bill for a free CA to do anything. So, today we’ll talk about that, about Certificate Transparency and about what this beckons for the great SSL/TLS ecosystem.
Let’s hash it out.
Certificate Transparency and You
Certificate Transparency is a good thing. It’s the now mandatory requirement that every trusted CA list every SSL/TLS certificate it issues in a trusted Certificate Transparency log. Or rather, in two logs – as Google has made standard with its Chrome browser.
Right now, there are a handful of organizations, mostly CAs, that run logs:
The one thing that hamstrings CT logs is the sheer volume of certificates being issued. For instance, DigiCert runs several CT logs that it cycles through to ensure that it can keep up with the millions of digital certificates being issued every day. And the internet is at the mercy of these CT logs and how well they scale. They are, as Let’s Encrypt’s Josh Aas puts it, “critical infrastructure.”
So, spinning up new CT logs is a net positive for the SSL/TLS ecosystem and a boon to Let’s Encrypt.
We decided to create and operate a CT log for a few reasons. First, operating a log is consistent with our mission to create a more secure and privacy-respecting Web. We believe transparency increases security and empowers people to make well-informed decisions. Second, operating a log helps us take control of our destiny. Google Chrome requires all new certificates to be submitted to two separate logs, so multiple log options are imperative to our operation. Finally, Let’s Encrypt often issues more than 1M certificates each day, so we wanted to design a CT log that is optimized for high volume. We’ve designed our log to be able to handle submissions from all other publicly trusted Certificate Authorities so they can use Oak to fulfill their logging requirements as well.
Why did Sectigo support this?
There’s a fairly obvious question that may be percolating for you right now: why would a commercial CA like Sectigo offer to support a public CA that offers the same products for free?
The answer is two-fold. First of all, it’s a fairly progressive, big-picture move that recognizes Let’s Encrypt’s integral role in the industry. Let’s Encrypt serves a very important segment of the market that was going otherwise unserved. We’re on record as disagreeing with some of its methods, but we absolutely believe in its mission.
Clearly Sectigo does, too. And this move helps Let’s Encrypt to continue offering free domain validated SSL/TLS certificates to the public.
Second, as we mentioned earlier, regardless of who’s administering it having additional CT logging options is good for the entire ecosystem. When CAs have issues logging certificates it adds delays and nobody wins when that happens. Having additional CT logs, as well as the new Woodpecker tool Let’s Encrypt is releasing to monitor them, improves security by giving organizations the tools to better fight mis-issuance and other issuance-related issues.
“As a member of the CA/Browser Forum, Sectigo is committed to advancing internet security through collaboration with other Certificate Authorities,” said Nick France, CTO of SSL, Sectigo. “Sectigo’s sponsorship of Let’s Encrypt’s efforts to bolster the CT ecosystem is another step in addressing the growing need for certificate transparency tools. It’s an important example of how CAs can work together to ensure the overall internet ecosystem is secure for users and businesses worldwide.”
If it feels like we’ve been talking about Sectigo a lot lately – we have. Since rebranding from Comodo CA to Sectigo last Fall, the company has made a major push into IoT security and overhauled its Certificate Management platform to facilitate zero-touch deployment through integration with Active Directory. Sectigo is already the world’s largest CA and it’s putting in the work to further its lead.
As always, leave any comments or questions below…