Sectigo Is Sponsoring a Certificate Transparency (CT) Log from Let’s Encrypt. Here’s Why.
Today we announced that Sectigo is sponsoring Let’s Encrypt’s new Certificate Transparency (CT) log "Oak." As Let’s Encrypt’s CT log sponsor, Sectigo makes it economically possible for Let’s Encrypt, a non-profit, to create and maintain a CT log capable of meeting high-volume SSL certificate logging needs.
Today we announced that Sectigo is sponsoring Let’s Encrypt’s new Certificate Transparency (CT) log "Oak." As Let’s Encrypt’s CT log sponsor, Sectigo makes it economically possible for Let’s Encrypt, a non-profit, to create and maintain a CT log capable of meeting high-volume needs.
What is Certificate Transparency (CT)?
Certificate Transparency is an ecosystem framework initiated by Google that enables visibility on the world’s SSL / TLS certificates through the creation and maintenance of publicly-accessible logs of issued certificates. Interested parties may maintain public logs that CAs can use to register the TLS certificates they issue. CT is available for all three levels of SSL authentication (Extended Validation [EV], Organization Validation [OV], and Domain Validation [DV]).
Certificate Transparency has a few potential advantages for companies’ control of their online presence and overall online security.
- Certificate Transparency gives companies more visibility on what’s happening with their online brands. This includes the possibility that phishers or other malicious parties are issuing certificates for lookalike domains to enable their schemes. But it also includes the issuance of legitimate certificates by parties inside their own company without the knowledge of other parts of the business. In large enterprises this kind of thing happens routinely, and developers obtaining their own certificates can present problems with compliance and ongoing management. CT logs can help track down these certificates and bring them under central management.
- Certificate Transparency enables monitoring for mis-issued certificates. In the past decade we’ve seen instances of CAs issuing certificates incorrectly. CT logs enable the community to keep an eye on which certificates are issued and help ensure that certificates are correct. In the event of one or more incorrectly issued certificates, CT logs can help characterize the nature of the errors and help understand how to update CA procedures to prevent similar future errors.
- Certificate Transparency provides a body of information that can be used to research certificate usage trends. SSL certificates are central to any online activity of sensitive nature, including financial transactions, purchasing, and sharing confidential information. Understanding their usage patterns and changes over time can shed light on a broad array IT and societal trends.
A few companies maintain CT logs today. CAs most likely aren’t logging certificates across all available CT logs and may not even use the same logs every time. That can add a layer of complexity to these tasks. To help interested parties use the information available in CT logs, Sectigo offers crt.sh. This service accumulates the contents of known CT logs in a single, searchable interface.
Why sponsor a CT log from Let’s Encrypt?
The number of available CT logs that can accommodate high volume certificate issuance is quite small. That leaves the certificate logging ecosystem in a fragile state. If only one or two CT logs went offline or experienced performance problems or outages, Certificate Authorities might not be able to log their certificates as Google Chrome requires.
To increase CAs’ logging options and reduce the likelihood of a condition where CAs cannot meet these logging requirements, Sectigo and Let’s Encrypt have joined forces to launch the Let’s Encrypt's Oak CT log. As Let’s Encrypt’s CT log sponsor, Sectigo makes it economically possible for Let’s Encrypt, a non-profit, to create and maintain a CT log capable of meeting high-volume needs.
This partnership is one of many examples of how CAs can work together to ensure the security, interoperability, and ubiquity of both public and private PKI. Sectigo proudly contributes to industry efforts such as the CA/Browser Forum, IETF, WiMAX Forum, GSMA, the Open Connectivity Foundation, and the CA Security Council, working directly with other industry players to these ends.