An inherent weakness in the Internet’s Public Key Infrastructure (PKI) is the ‘equivalency of trust’ that is placed on trusted Certificate Authorities (CA)s. Any CA that is trusted by a browser, operating system, or application-specific trust store can issue a certificate for any domain. As a result, in the event of CA compromise, it is possible for a CA to issue counterfeit certificates for any domain without the knowledge and approval of HTTPS site operators.
Technical controls to detect and possibly prevent this scenario have been proposed by extensions to DNS, such as Certificate Authority Authorization (CAA) and DNS-based Authentication of Named Entities (DANE). However, these controls require all DNS clients to be updated in order to support the new extensions, making deployment in the short term infeasible.
In 2013, Google started an industry-wide initiative to address this issue, called Certificate Transparency or CT. With CT, public logs will be used to record issuance of publicly-trusted EV (Extended Validation) certificates. These logs can then be monitored by site operators to look for rogue instances of their domains. If duplicate certificates for the same domain are discovered by site operators in the logs, the site operator can take action to resolve the issue.
As part of the CT design, Google anticipates that one or more organizations would act as CT log monitors. These log monitors would periodically search through CT logs to detect possible mis-issuance events.
As a market leader in Next Generation Trust Protection, Venafi recognizes the value of the CT initiative as another important step to ensure online trust for certificates issued. Therefore, Venafi will be launching a public CT log that will satisfy the much needed Google CT log operator requirements of three public CT log servers. This public CT log can be used by any publicly-trusted CA and site operator to publish issued certificates. Furthermore, any organization that acts as a log monitor is free to use the Venafi public CT log to support their efforts.
Venafi is proud to support the Google CT initiative and looks forward to providing enhanced security for all public CA customers.