[cabfpub] Announcement: Requiring Certificate Transparency in 2017

Ryan Sleevi sleevi at google.com
Mon Oct 24 17:43:04 MST 2016


[Note: This is cross-posted. The best venue for follow-up questions is the
public mailing list at ct-policy at chromium.org or the post at
https://groups.google.com/a/chromium.org/d/msg/ct-policy/78N3SMcqUGw/ykIwHXuqAQAJ
]

This past week at the 39th meeting of the CA/Browser Forum, the Chrome team
announced plans that publicly trusted website certificates issued in
October 2017 or later will be expected to comply with Chrome’s Certificate
Transparency policy in order to be trusted by Chrome.

The Chrome Team believes that the Certificate Transparency ecosystem has
advanced sufficiently that October 2017 is an achievable and realistic goal
for this requirement.

This is a significant step forward in the online trust ecosystem. The
investments made by CAs adopting CT, and Chrome requiring it in some cases,
have already paid tremendous dividends in providing a more secure and
trustworthy Internet. The use of Certificate Transparency has profoundly
altered how browsers, site owners, and relying parties are able to detect
and respond to misissuance, and importantly, gives new tools to mitigate
the damage caused when a CA no longer complies with community expectations
and browser programs.

While the benefits of CT are clear, we recognize that some CAs, browsers,
or site operators may have use cases they feel are not fully addressed by
Certificate Transparency, and so may have concerns over the October 2017
date. We encourage anyone who feels this way to bring their concerns to the
IETF’s Public Notary Transparency WG (TRANS) so that these use cases can be
discussed and cataloged. The information for this WG, and the documents it
works on, is available at https://datatracker.ietf.org/wg/trans/charter/.

Although the date is a year away, we encourage any participants that wish
to have their use cases addressed to bring them forward as soon as possible
during the next three months. This will ensure that the IETF, the
CA/Browser Forum, and the broader community at large have ample time to
discuss the challenges that may be faced, and find appropriate solutions
for them. Such solutions may be though technical changes via the IETF or
via policy means such as through the CA/Browser Forum or individual
browsers’ root program requirements.

We will continue outreach to CAs in trust stores used by Chrome to ensure
that they are prepared and that there is minimal user disruption.

To further support these investments in Certificate Transparency, the
Chrome team will be discussing a proposed new HTTP header at next month’s
IETF meeting that would allow sites to opt-in to having CT requirements
enforced in advance of this deadline.

Similarly, we welcome and encourage all CAs to voluntarily request that
browsers enforce CT logging of their new certificates before this deadline.
Doing so enhances CT's ability to protect users, detect misissuance, and in
the unfortunate event that misissuance does occur, to confirm the scope of
misissuance. This may allow browsers to take more targeted steps to
remediate the problem than otherwise possible, thus minimizing any negative
impact to their users.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20161024/f15f1952/attachment-0001.html>


More information about the Public mailing list