Definition
Certificate Transparency
Certificate Transparency (CT) is a standard proposed in 2012 to tackle the false issuance of certificates. All certificates issued by trusted CAs are published in append-only, cryptographically protected, publicly auditable logs to spot maliciously or mistakenly issued certificates.
Process
- The domain owner files a request to obtain a valid certificate for their domain.
- The CA verifies entitlement and sends a pre-certificate to one or more logs.
- Each contacted log verifies the certificate chain, sends a signed certificate timestamp (SCT) to the CA, and adds the pre-certificate to the log within a certain timeframe (MMD).
- The CA issues a certificate containing the same information as the pre-certificate and the SCT.
Alternative Implementations
SCTs can also be delivered via a TLS extension or the OCSP protocol instead of being embedded into the certificate.
Monitoring
Monitors
Monitors can be periodically run on existing logs to:
- notify a website operator about the issuance of a new certificate for their domain
- check for certificates with unusual extensions or permissions (e.g. the ability to sign other certificates)
- verify the consistency of a log and the correct inclusion of certificates within the log