Certificate Transparency

B.R. reallfqq-nginx at yahoo.fr
Wed Nov 11 14:02:03 UTC 2015

It is sad Chrome kind of forces website owners to have Certificate
Transparency available while the whole things is still categorized as
'Experimental' by the IETF to this day:

... but that is another debate. If you wanna serve CT certificates from a
non-CT-compliant CA, you will need to serve it through as TLS extension, ie
using a server module.

In the end, it sounds logical that CA implement this mechanism on their
side, through OCSP.
For now, this RFC future is uncertain and the technical oddities this
mechanism oddities it implies (double issuance
for example) might make CAs relunctant to rush, and it is perfectly

If you support Chrome's vision and Google's wish to force the way of this
RFC, go for a compliant CA or use a custom module.
*B. R.*

On Wed, Nov 11, 2015 at 12:11 PM, Rob Stradling <rob.stradling at comodo.com>

> On 11/11/15 11:03, locojohn wrote:
>> Joó Ádám Wrote:
>> -------------------------------------------------------
>> The TLS extension is the only method to implement Certificate
>>> Transparency without the assistance of the CA, and starting with
>>> January 1 2015 Chrome refuses to display the green bar for EV
>>> certificates without Certificate Transparency.
>>> StartSSL is one CA that currently does not support other methods,
>>> which means a lot of sites suffers from this.
>> Interesting, we have installed multi-domain EV certificates from StartSSL
>> for our company and we use Nginx, and EV green bar works in all modern and
>> even not so modern browsers:
>> https://www.ahlers.com
> In Chrome 46, I see "https:" in green but I don't see the "EV green bar"
> that shows the Subject Organization Name.  That's because...
> I presume Certificate Transparency is not required then?
> ...CT _is_ required if you want to see the EV green bar in recent versions
> of Chrome.
> Best regards,
>> Andrejs
> --
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20151111/144e8c74/attachment.html>

More information about the nginx mailing list