What is Certificate Transparency?
When sensitive data is transferred between two hosts, encrypted communication like TLS is used for that purpose. And, digital certificates have a major role to play in TLS communication.
A TLS server usually issues its digital certificate from a trusted Certificate Authority or CA. When a TLS client wants to establish a TLS connection with the server, the server sends that digital certificate to the client. The client verifies the certificate from the trusted CA and then proceeds with establishing the connection.
But, there are a number of recent incidences where a digital certificate is mistakenly issued by a CA or a CA has been compromised. It is extremely difficult to detect such fraudulent cases in the current scenario. Our browsers cannot detect if a malicious website is using a mistakenly issued certificate or a certificate issued by a compromised or rogue CA. As a result, user security gets compromised.
Certificate Transparency is an experimental IETF (Internet Engineering Task Force) open standard that is used to monitor and audit digital certificates and to detect suspicious certificates and CAs within a reasonable time frame.
Functional Components of Certificate Transparency
Certificate Transparency has three new functional components to the current SSL certificate system :
- Certificate Log
- Certificate Monitor
- Certificate Auditor
Certificate Log
A Certificate Log is a simple network service that maintains a record of SSL certificates. Any interested entity can submit certificates to the Certificate Log, though it is expected that a CA or server operator submit a certificate to the log. A log is a single, ever-growing, and append-only entity. When an interested party submits a valid digital certificate to the log, the log returns a Signed Certificate Timestamp or SCT. A valid digital certificate can have a single valid SCT. So, if the log has seen the digital certificate before, it may return the same SCT which it has already returned before.
0 Comments