Skip to main content
banner image
venafi logo

How Temporal Sharding Helps to Ease the Challenge of Growing CT Log Scale

How Temporal Sharding Helps to Ease the Challenge of Growing CT Log Scale

Temporal Sharding Helps to Ease the Challenge of Growing CT Log Scale
June 27, 2018 | David Bisson

May 1st marked a historic development for Google. That’s the day when a mandate requiring Chromium Certificate Transparency (CT) Policy compliance of all newly issued TLS certificates for the Chrome Browser came into force. Google declared that a website’s publicly trusted certificates issued by a certificate authority (CA) must appear in a CT log, a network service which maintains records of digital certificates. Otherwise, the tech giant said it would display a warning message to visitors and prevent any of the website’s sub-resources served over HTTPS from loading properly.

Google’s mandate helps advance the mission of the Certificate Transparency framework to allow for early detection of mis-issued certificates, faster mitigation of suspect certificates and better oversight of the entire TLS/SSL system. Even so, it doesn’t account for one important reality in the industry today. That is the booming public key infrastructure (PKI) market.

PKI: How It Disagrees with Google’s Policy

As defined by TechTarget, PKI consists of rules and policies that support the distribution and identification of public encryption keys necessary for users to exchange sensitive data with other parties over the web. It acts as the foundation of machine identity protection and helps validate the authenticity of a data transaction. Accordingly, organizations are increasingly turning to public key infrastructure to fuel their digital transformations, which is contributing to the global PKI market’s maturation and growth. Market Research Future found in a 2018 report that the PKI market is expected to grow at a compound annual growth rate (CAGR) of 22.7 percent between 2017 and 2023. It will be worth just shy of $2 billion by 2023, reported Reuters.

Where Google’s policy falls short is its assumption that logs will accept certificates indefinitely. This isn’t sustainable over the long term. As logs amass hundreds of millions of certificates, admins will find it difficult to perform maintenance of logs. Not only that, but any failure of a log will have a dramatic effect on the operability of countless websites.

A Solution for the New World

To address this problem, DigiCert has recommended temporal sharding. It’s a course of action whereby logs accept certificates according to their “notBefore” and “notAfter” values. This data range is stored in the certificate itself as its validity period.

Via temporal sharding, logs would consist of multiple physical logs acting together in a logical log to evaluate certificates’ validity periods. For instance, a physical log sharded in a one-year time segment would evaluate a certificate’s validity period. If its expiration date occurs after a certain date, the log would reject it, at which point in time the certificate would go to the next physical log in sequence. It would then go from log to log until its temporal settings match the specifications of one of the physical logs.

Temporal sharding could help logs keep up with the explosion of digital certificates that’s set to occur over the next five years. But it can’t help organizations protect their PKI against digital threats. To accomplish that task, organizations need to automate their PKI security for all of their keys and certificates.

Streamline and protect your enterprise’s entire PKI certificate lifecycle.

Related posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

Why Encryption Should Be the Next Step in Operationalizing GDPR Compliance

Why Encryption Should Be the Next Step in Operationalizing GDPR Compliance

Russia-Yandex Encryption Spat Highlights Trust as a Competitive Business Advantage

Russia-Yandex Encryption Spat Highlights Trust as a Competitive Business Advantage

https phishing, tls certificate, phishing scam

FBI Warns Users about Phishing Campaigns that Leverage HTTPS Websites

About the author

David Bisson
David Bisson

David Bisson writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat