Certificate Transparency (CT) is an Internet security standard for monitoring and auditing the issuance of digital certificates.[1] When an internet user interacts with a website, a trusted third party is needed to assure the user that the website is legitimate and that the website's encryption key is valid. This third party, called a certificate authority (CA), will issue a certificate for the website that the user can validate. The security of encrypted internet traffic (HTTPS) depends on the trust that certificates are only given out by the certificate authority and that the certificate authority has not been compromised.
Certificate Transparency makes public all issued certificates, giving website owners and auditors the ability to detect and expose inappropriately issued certificates.
Work on Certificate Transparency first began in 2011 after the certificate authority DigiNotar became compromised and started issuing malicious certificates. Google Engineers submitted a draft to the Internet Engineering Task Force (IETF) in 2012. This effort resulted in IETF, a standard defining a system of public logs to record all certificates issued by publicly trusted certificate authorities, allowing efficient identification of mistakenly or maliciously issued certificates.[2]
The certificate transparency system consists of a system of append-only certificate logs. Logs are operated by many parties, including browser vendors and certificate authorities.[3] Certificates that support certificate transparency must include one or more signed certificate timestamps (SCTs), which is a promise from a log operator to include the certificate in their log within a maximum merge delay (MMD).[4] At some point within the maximum merge delay, the log operator adds the certificate to their log. Each entry in a log references the hash of a previous one, forming a Merkle tree. The signed tree head (STH) references the current root of the Merkle tree.
Although anyone can submit a certificate to a CT log, this task is commonly carried out by a CA as follows:[5]
Finally, a CA may decide to log the final certificate as well. Let's Encrypt E1 CA, for example, logs both precertificates and final certificates (see CA crt.sh profile page under 'issued certificates' section), whereas Google GTS CA 2A1 does not (see crt.sh profile page).
Some browsers require TLS certificates to have proof of being logged with certificate transparency,[7] either through SCTs embedded into the certificate, an extension during the TLS handshake, or through OCSP:
Due to the large quantities of certificates issued with the Web PKI, certificate transparency logs can grow to contain many certificates. This large quantity of certificates can cause strain on logs. Temporal sharding is a method to reduce the strain on logs by sharding a log into multiple logs, and having each shard only accept precertificates and certificates with an expiration date in a particular time period (usually a calendar year).[8] [9] Cloudflare's Nimbus series of logs was the first to use temporal sharding.
One of the problems with digital certificate management is that fraudulent certificates take a long time to be spotted, reported and revoked. An issued certificate not logged using Certificate Transparency may never be spotted at all. Certificate Transparency makes it possible for the domain owner (and anyone interested) to get in knowledge of any certificate issued for a domain.
Certificate Transparency depends on verifiable Certificate Transparency logs. A log appends new certificates to an ever-growing Merkle hash tree.[1] To be seen as behaving correctly, a log must:
A log may accept certificates that are not yet fully valid and certificates that have expired.
Monitors act as clients to the log servers. Monitors check logs to make sure they are behaving correctly. An inconsistency is used to prove that a log has not behaved correctly, and the signatures on the log's data structure (the Merkle tree) prevent the log from denying that misbehavior.
Auditors also act as clients to the log servers. Certificate Transparency auditors use partial information about a log to verify the log against other partial information they have.
Apple[10] and Google[11] have separate log programs with distinct policies and lists of trusted logs.
Certificate Transparency logs maintain their own root stores and only accept certificates that chain back to the trusted roots.[1] A number of misbehaving logs have been publishing inconsistent root stores in the past.[12]
In 2011, a reseller of the certificate authority Comodo was attacked and the certificate authority DigiNotar was compromised,[13] demonstrating existing flaws in the certificate authority ecosystem and prompting work on various mechanisms to prevent or monitor unauthorized certificate issuance. Google employees Ben Laurie, Adam Langley and Emilia Kasper began work on an open source framework for detecting mis-issued certificates the same year. In 2012, they submitted the first draft of the standard to IETF under the code-name "Sunlight".[14]
In March 2013, Google launched its first certificate transparency log.[15]
In June 2013, "Certificate Transparency" was published, based on the 2012 draft.
In September 2013, DigiCert became the first certificate authority to implement Certificate Transparency.[16]
In 2015, Google Chrome began requiring Certificate Transparency for newly issued Extended Validation Certificates.[17] [18] It began requiring Certificate Transparency for all certificates newly issued by Symantec from June 1, 2016, after they were found to have issued 187 certificates without the domain owners' knowledge.[19] [20] Since April 2018, this requirement has been extended to all certificates.[21]
On March 23, 2018, Cloudflare announced its own CT log named Nimbus.[22]
In May 2019, certificate authority Let's Encrypt launched its own CT log called Oak. Since February 2020, it is included in approved log lists and is usable by all publicly-trusted certificate authorities.[23]
In December 2021, "Certificate Transparency Version 2.0" was published. Version 2.0 includes major changes to the required structure of the log certificate, as well as support for Ed25519 as a signature algorithm of SCTs and support for including certificate inclusion proofs with the SCT.
In February 2022, Google published an update to their CT policy,[24] which removes the requirement for certificates to include a SCT from their own CT log service, matching all the requirements for certificates to those previously published by Apple.[25]
In Certificate Transparency Version 2.0, a log must use one of the algorithms in the IANA registry "Signature Algorithms".[26]