Certificate Transparency

Rob Stradling rob.stradling at comodo.com
Wed Nov 11 14:26:18 UTC 2015

On 11/11/15 14:02, B.R. wrote:
> It is sad Chrome kind of forces website owners to have Certificate
> Transparency available while the whole things is still categorized as
> 'Experimental' by the IETF to this day:
> https://tools.ietf.org/html/rfc6962
> ... but that is another debate. If you wanna serve CT certificates from
> a non-CT-compliant CA, you will need to serve it through as TLS
> extension, ie using a server module.
> In the end, it sounds logical that CA implement this mechanism on their
> side, through OCSP.

Indeed it does (and I'm very glad I pushed for this feature to be 
included in RFC6962 :-) ).

If you have a cert from Comodo, we can embed SCTs in OCSP Responses for 
you today.  Just ask.  :-)
(IIRC, DigiCert can do this too.  I don't know about any other CAs).

> For now, this RFC future is uncertain and the technical oddities this
> mechanism oddities it implies (double issuance
> <https://community.letsencrypt.org/t/will-you-support-certificate-transparency/222/11>,
> for example) might make CAs relunctant to rush, and it is perfectly
> understandable.

Google have consistently said that they intend to require CT for all (EV 
and non-EV) TLS server certificates eventually.

Given that Google are "going to require that as of June 1st, 2016, all 
certificates issued by Symantec itself will be required to support 
Certificate Transparency" [1], it seems that "eventually" might not be 
that far away.

BTW, note that over at the IETF we're working on the next version of CT [2].


[2] https://datatracker.ietf.org/doc/draft-ietf-trans-rfc6962-bis/

> If you support Chrome's vision and Google's wish to force the way of
> this RFC, go for a compliant CA or use a custom module.
> ---
> *B. R.*
> On Wed, Nov 11, 2015 at 12:11 PM, Rob Stradling
> <rob.stradling at comodo.com <mailto:rob.stradling at comodo.com>> wrote:
>     On 11/11/15 11:03, locojohn wrote:
>         Joó Ádám Wrote:
>         -------------------------------------------------------
>             The TLS extension is the only method to implement Certificate
>             Transparency without the assistance of the CA, and starting with
>             January 1 2015 Chrome refuses to display the green bar for EV
>             certificates without Certificate Transparency.
>             StartSSL is one CA that currently does not support other
>             methods,
>             which means a lot of sites suffers from this.
>         Interesting, we have installed multi-domain EV certificates from
>         StartSSL
>         for our company and we use Nginx, and EV green bar works in all
>         modern and
>         even not so modern browsers:
>         https://www.ahlers.com
>     In Chrome 46, I see "https:" in green but I don't see the "EV green
>     bar" that shows the Subject Organization Name.  That's because...
>         I presume Certificate Transparency is not required then?
>     ...CT _is_ required if you want to see the EV green bar in recent
>     versions of Chrome.
>         Best regards,
>         Andrejs
>     --
>     Rob Stradling
>     Senior Research & Development Scientist
>     COMODO - Creating Trust Online
>     _______________________________________________
>     nginx mailing list
>     nginx at nginx.org <mailto:nginx at nginx.org>
>     http://mailman.nginx.org/mailman/listinfo/nginx
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
   3rd Floor, 26 Office Village, Exchange Quay,
   Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they are 
addressed.  If you have received this email in error please notify the 
sender by replying to the e-mail containing this attachment. Replies to 
this email may be monitored by COMODO for operational or business 
reasons. Whilst every endeavour is taken to ensure that e-mails are free 
from viruses, no liability can be accepted and the recipient is 
requested to use their own virus checking software.

More information about the nginx mailing list