Google announced the requirement for Certificate Transparency for all new SSL/TLS certificates in October 2017. This requirement means that Chrome will no longer trust new SSL/TLS certificates that are not qualified for Certificate Transparency (CT).
CT is a method to publish all certificates in one or more publicly available CT logs, which meet the qualification requirements established by Google. CT logs can be audited to ensure they are honest. Domain owners can use the CT logs to monitor their domains and discover of SSL/TLS certificates.
There are two main benefits of CT:
A disadvantage of logging all SSL/TLS certificates is some domain names exposed may be considered private or security sensitive. Although many SSL/TLS certificates are available to the public, some are internal. Exposing all domain names would give an attacker a blue print of all secure servers. In addition, server host names of can expose their purpose or confidential information (e.g., payments.example.com).
Domain name redaction would provide a method for CT logging while protecting the privacy of domain names. A proposed redaction method would be to replace the private domain name with a question mark. For instance, a certificate for “payments.example.com” would be logged with the domain name “?.example.com”.
Domain name redaction has been a topic for consideration since 2014 in the IETF, but was not addressed in the standard RFC 6962. Google did not permit redaction in their certificate transparency plan for EV SSL/TLS certificates starting in 2015. Redaction is still under consideration for the development of the new CT draft standard RFC 6962-bis, but is not currently supported.
When considering CT logging of public-trust certificates, there are several ways domain names can be kept private:
It appears that there are drawbacks to all of the available options. If domain owners do not CT log, it will cause trust issues with Chrome. Issuing a private trust certificate would require the private trust root certificate to be distributed to all clients. Lastly, wildcard certificates may provide security issues by using a single key pair to protect many subdomains.
Entrust Datacard and other certification authorities are looking for use cases where the domain owner considers their domain name needs to be protected. The goal is to propose technical options and policy statements for domain name redaction.
Here’s a CT survey for domain owners. Please take a moment to complete. Your feedback is greatly appreciated and will help us to make improvements that protect your domain privacy.