SSL

Certificate Transparency – Clarification of requirements for Comodo SSL customers

May 27, 2016 | By  

Google’s Certificate Transparency (CT) project is a move to increase the safety of the SSL certificate system.

It provides a means for the public logging of SSL certificates to help ensure that a certificate with something wrong with it is spotted as early as possible so that any damage it might do is minimized and so that remedial action can be taken to prevent the problem or error occurring again.

To promote the use of CT, as well as investing time and ingenuity in creating it, Google did two things:

  • They ‘primed the pump’ by putting into their CT logs every trusted SSL certificate that their web crawlers find.  That’s a lot of certificates.
  • They made changes to their very popular ‘Chrome’ browser so that EV SSL certificates only work as expected in that browser if they have also been put into a CT log.  That means you’ll find most EV SSL certificates in CT logs.

SSL customers

If you’d like to see what’s stored in CT logs, take a look at Comodo’s excellent certificate search tool at https://crt.sh.

Sometimes people ordering SSL certificates have reasons that they don’t really want the certificates to be public.  That might be because they have computer systems communicating privately over the internet and they don’t want to advertise the end points, and it might be because the certificate is to run on an internal website for a new top secret product within their organization and they don’t want their competitors to get a sniff of what they’re doing.

Comodo likes to give our CA’s customers the choice, where we can, about whether their certificates go into the CT log or not.

Interestingly, Symantec is no longer able to offer quite as much of a choice to its customers.  Due to some issuance and reporting problems, Google is requiring of Symantec “that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency.”

Symantec are preparing to comply with Google’s requirements, but have been stating that all certificates (instead of just Symantec’s certificates) must be put into the CT logs.  That has caused some confusion for our customers and other CA’s customers, and we feel we have to correct the mistaken impression this creates.

All of Symantec’s certificates are required to support CT (i.e. to have been submitted to a CT log) if they are to be trusted in Google’s Chrome browser.  This includes their EV, OV and DV certificates. This overarching rule does not apply to Comodo’s certificates – only our EV certificates must be submitted (as must the EV certificates of every other CA).

Certificate Transparency is about openness.  Being open and telling the truth is a good thing.

When you are in the Trust business, you have to be willing to not only tell the truth, but to tell people the whole truth.

SSL Certificates

Posted in SSL

Be Sociable, Share!

Leave a Comment


 


* fields are mandatory