Skip to main content
banner image
venafi logo

The Need for Certificate Transparency

The Need for Certificate Transparency

generic_blog_banner_image
January 27, 2015 | Walter Goulet

An inherent weakness in the Internet’s Public Key Infrastructure (PKI) is the ‘equivalency of trust’ that is placed on trusted Certificate Authorities (CA)s. Any CA that is trusted by a browser, operating system, or application-specific trust store can issue a certificate for any domain. As a result, in the event of CA compromise, it is possible for a CA to issue counterfeit certificates for any domain without the knowledge and approval of HTTPS site operators.

Technical controls to detect and possibly prevent this scenario have been proposed by extensions to DNS, such as Certificate Authority Authorization (CAA) and DNS-based Authentication of Named Entities (DANE). However, these controls require all DNS clients to be updated in order to support the new extensions, making deployment in the short term infeasible.

Google Certificate Transparency

In 2013, Google started an industry-wide initiative to address this issue, called Certificate Transparency or CT. With CT, public logs will be used to record issuance of publicly-trusted EV (Extended Validation) certificates. These logs can then be monitored by site operators to look for rogue instances of their domains. If duplicate certificates for the same domain are discovered by site operators in the logs, the site operator can take action to resolve the issue.

As part of the CT design, Google anticipates that one or more organizations would act as CT log monitors. These log monitors would periodically search through CT logs to detect possible mis-issuance events.

As a market leader in Next Generation Trust Protection, Venafi recognizes the value of the CT initiative as another important step to ensure online trust for certificates issued. Therefore, Venafi will be launching a public CT log that will satisfy the much needed Google CT log operator requirements of three public CT log servers. This public CT log can be used by any publicly-trusted CA and site operator to publish issued certificates. Furthermore, any organization that acts as a log monitor is free to use the Venafi public CT log to support their efforts.

Venafi is proud to support the Google CT initiative and looks forward to providing enhanced security for all public CA customers.

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

ca certificate consolidation

CAs and Browsers: Three Changes to Expect in 2018

About the author

Walter Goulet
Walter Goulet

Walter is Senior Product Manager of Cloud Solutions at Venafi. He is responsible for developing product feature definitions and market requirements for Venafi SaaS solutions.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat