Certificate Transparency

[Maxim Dounin]

Hello!

On Sun, Nov 08, 2015 at 04:16:14PM +0100, Joó Ádám wrote:

> Do we know if there’s any plan to support the signed certificate
> timestamp TLS extension in Nginx? (There’s apparently a third party
> module that implements the functionality:
> https://github.com/grahamedgecombe/nginx-ct)

No plans.

> The TLS extension is the only method to implement Certificate
> Transparency without the assistance of the CA, and starting with
> January 1 2015 Chrome refuses to display the green bar for EV
> certificates without Certificate Transparency.
> 
> StartSSL is one CA that currently does not support other methods,
> which means a lot of sites suffers from this.

There are at lease some CAs that provide CT support without a need 
to submit a certificate to log servers yourself and use the 
signed_certificate_timestamp extension.  Given that's all about EV 
certs, switching to a different CA is a solution to consider if a 
particular CA doesn't support CT.

-- 
Maxim Dounin
http://nginx.org/