Skip to main content
banner image
venafi logo

How Temporal Sharding Helps to Ease the Challenge of Growing CT Log Scale

How Temporal Sharding Helps to Ease the Challenge of Growing CT Log Scale

Temporal Sharding Helps to Ease the Challenge of Growing CT Log Scale
June 27, 2018 | David Bisson

May 1st marked a historic development for Google. That’s the day when a mandate requiring Chromium Certificate Transparency (CT) Policy compliance of all newly issued TLS certificates for the Chrome Browser came into force. Google declared that a website’s publicly trusted certificates issued by a certificate authority (CA) must appear in a CT log, a network service which maintains records of digital certificates. Otherwise, the tech giant said it would display a warning message to visitors and prevent any of the website’s sub-resources served over HTTPS from loading properly.

Google’s mandate helps advance the mission of the Certificate Transparency framework to allow for early detection of mis-issued certificates, faster mitigation of suspect certificates and better oversight of the entire TLS/SSL system. Even so, it doesn’t account for one important reality in the industry today. That is the booming public key infrastructure (PKI) market.

PKI: How It Disagrees with Google’s Policy

As defined by TechTarget, PKI consists of rules and policies that support the distribution and identification of public encryption keys necessary for users to exchange sensitive data with other parties over the web. It acts as the foundation of machine identity management and helps validate the authenticity of a data transaction. Accordingly, organizations are increasingly turning to public key infrastructure to fuel their digital transformations, which is contributing to the global PKI market’s maturation and growth. Market Research Future found in a 2018 report that the PKI market is expected to grow at a compound annual growth rate (CAGR) of 22.7 percent between 2017 and 2023. It will be worth just shy of $2 billion by 2023, reported Reuters.

Where Google’s policy falls short is its assumption that logs will accept certificates indefinitely. This isn’t sustainable over the long term. As logs amass hundreds of millions of certificates, admins will find it difficult to perform maintenance of logs. Not only that, but any failure of a log will have a dramatic effect on the operability of countless websites.

A Solution for the New World

To address this problem, DigiCert has recommended temporal sharding. It’s a course of action whereby logs accept certificates according to their “notBefore” and “notAfter” values. This data range is stored in the certificate itself as its validity period.

Via temporal sharding, logs would consist of multiple physical logs acting together in a logical log to evaluate certificates’ validity periods. For instance, a physical log sharded in a one-year time segment would evaluate a certificate’s validity period. If its expiration date occurs after a certain date, the log would reject it, at which point in time the certificate would go to the next physical log in sequence. It would then go from log to log until its temporal settings match the specifications of one of the physical logs.

Temporal sharding could help logs keep up with the explosion of digital certificates that’s set to occur over the next five years. But it can’t help organizations protect their PKI against digital threats. To accomplish that task, organizations need to automate their PKI security for all of their keys and certificates.

Streamline and protect your enterprise’s entire PKI certificate lifecycle.

Related posts

Like this blog? We think you will love this.
Featured Blog

Exposed TLS Certificates Force PKI Lead to Quit: How Badly Managed PKI Poses Serious Risk [Case Study]

'I'm out of here' — PKI lead  That’s th

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more