{"id":6548,"date":"2018-06-06T13:52:17","date_gmt":"2018-06-06T17:52:17","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=6548"},"modified":"2021-06-11T15:44:06","modified_gmt":"2021-06-11T19:44:06","slug":"only-certificate-authorities-need-to-worry-about-certificate-transparency","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/only-certificate-authorities-need-to-worry-about-certificate-transparency\/","title":{"rendered":"Only Certificate Authorities need to worry about Certificate Transparency"},"content":{"rendered":"<h2>End users, resellers and enterprise clients don\u2019t need to take any action for CT<\/h2>\n<p>One of the most common questions we\u2019re getting about all of these <a href=\"https:\/\/www.thesslstore.com\/blog\/apple-certificate-transparency-october-15\/\" target=\"_blank\" rel=\"noopener\">Certificate Transparency announcements<\/a> is: \u201cwhat do I need to do comply with CT?\u201d<\/p>\n<p>If you\u2019re not a Certificate Authority, the answer is: nothing.<span id=\"newline\"><\/span><\/p>\n<p>The party responsible for logging the certificates is the issuing Certificate Authority. And when you think about it, that also makes the most sense. The CA has to handle validation and issue the certificate off its own PKI, it has the biggest vested interest in making sure that the certificate is trusted by browsers. After all, <a href=\"https:\/\/www.thesslstore.com\/blog\/remove-trust-in-existing-symantec-ssl-certificates\/\" target=\"_blank\" rel=\"noopener\">it doesn\u2019t take too many <\/a>mis-issuances to attract the attention of Google and Mozilla.<\/p>\n<h2>How does Certificate Transparency work?<\/h2>\n<p>To help you better understand why you don\u2019t need to worry about Certificate Transparency unless you\u2019re a Certificate Authority, let\u2019s <a href=\"https:\/\/www.thesslstore.com\/blog\/certificate-transparency\/\" target=\"_blank\" rel=\"noopener\">look at how it all works:<\/a><\/p>\n<ol>\n<li>The process begins when the CA creates a \u201cpre-certificate.\u201d This pre-certificate contains all the same information that will be included in the SSL certificate. It gets sent to the CA\u2019s preferred CT log server at the outset of the process.<\/li>\n<li>The CT log server responds to the pre-certificate by returning a Signed Certificate Timestamp or SCT. You might have see SCT thrown around in relation to Certificate Transparency before. An SCT is essentially a tokenized promise to log the certificate within 24 hours of receipt. This is known as the Maximum Merge Delay (MMD).<\/li>\n<li>The CA takes the SCT and adds it to the body of the SSL certificate when it\u2019s issued. That SCT serves a signal to the browsers that the certificate its attached to is published on a CT log. The SCT can be delivered three ways: via X509v3 extension, TLS extension or OCSP Stapling (see image below).<\/li>\n<\/ol>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-6555\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/06\/TSS-Certificate-Transparency-1.jpg\" alt=\"Certificate Transparency\" width=\"698\" height=\"417\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/06\/TSS-Certificate-Transparency-1.jpg 698w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/06\/TSS-Certificate-Transparency-1-300x179.jpg 300w\" sizes=\"auto, (max-width: 698px) 100vw, 698px\" \/><\/p>\n<p>For the sake of better security, some browsers (<a href=\"https:\/\/www.thesslstore.com\/blog\/apple-certificate-transparency-october-15\/\" target=\"_blank\" rel=\"noopener\">like Apple\u2019s Safari, for instance<\/a>) will require SCTs from multiple CT logs in order to be trusted. This just means that the CA issuing the certificate has to send pre-certificates to multiple CT logs. So for instance, <a class=\"wpil_keyword_link \" href=\"https:\/\/www.thesslstore.com\/digicert.aspx\"  title=\"DigiCert\" data-wpil-keyword-link=\"linked\">DigiCert<\/a> may log a certificate it\u2019s issuing on its own CT server, and then it may also send pre-certificates to Apple and Google for inclusion on their logs as well.<\/p>\n<h2>The CAs are the only ones required to do the logging?<\/h2>\n<p>Yes. There are, for all intents and purposes, two ways to log a certificate if we\u2019re being honest. The alternative way is using web crawlers, which can see certificates and report them back to logs, too. The problem is crawlers can\u2019t see everything on the web so you would never get a complete picture.<\/p>\n<p>Certificate Transparency has long been a Google initiative, and with the entire internet moving towards HTTPS it makes sense to push for a system that requires greater accountability from issuing CAs\u2014especially in light of some of the issues that have occurred over the past few years with CAs like <a href=\"https:\/\/www.thesslstore.com\/blog\/woes-worsen-wosign\/\" target=\"_blank\" rel=\"noopener\">WoSign<\/a> and <a href=\"https:\/\/www.thesslstore.com\/blog\/startcom-ssl-shutting-down-2018\/\" target=\"_blank\" rel=\"noopener\">StartCom<\/a> making egregious mistakes. Certificate Transparency provides a greater level of oversight, making it easier to detect mis-issuances and revoke them.<\/p>\n<p>One of the biggest issues facing the SSL industry right now is the lack of a reliable revocation mechanism. Certificate Transparency doesn\u2019t fix that entirely, but it\u2019s certainly a step in the right direction.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>End users, resellers and enterprise clients don\u2019t need to take any action for CT One of the most common questions we\u2019re getting about all of these Certificate Transparency announcements is:&#8230;<\/p>\n","protected":false},"author":6,"featured_media":6549,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[17],"tags":[187,302],"class_list":["post-6548","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-industry-lowdown","tag-certificate-transparency","tag-certificate-transparency-logs","post-with-tags"],"views":12384,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/06\/bigstock-Compliance-Rules-Law-Regulatio-237809386.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/6548","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=6548"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/6548\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/6549"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=6548"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=6548"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=6548"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}