by Doug Beattie
Google has announced that their EV Certificate Transparency (CT) Chrome policy has been formally expanded to cover all types of SSL Certificates. While Chrome enforces CT for EV Certificates by not displaying the green bar, they have not yet provided the date or enforcement mechanisms for non EV Certificates. Google is “proceeding slowly in order to allow CAs, log operators, monitors, and browsers necessary time to gain experience with deploying and interacting with CT in a meaningful and scalable way.”
CAs and Web Site Operators Need to Act Early to Avoid Another SHA-1 Scenario
Based on past experience with browser policy changes, website operators and CAs need to plan ahead and start complying with the policy early so that customers are not impacted like they were with the SHA-1 deprecation. As you may recall, while 3 year SHA-1 certificates were permitted to be issued in 2015, some of the browsers subsequently degraded the treatment of SHA-1 certificates when they expire beyond 12/31/2016 which resulted in customer support challenges. When this happened web site operators needed to:
- Replace longer validity SHA-1 SSL Certificates with ones that expired by this date (and lose validity period that they paid for), or
- Upgrade to SHA-256 before they were ready and before it was absolutely required, or
- Continuing using the SHA-1 certificate and the degraded UI until it expires or is replaced.
We can anticipate this will be the case with the move to requiring certificate transparency for all types of certificates. It’s unlikely that the enforcement of the policy will be completely forward looking and can expect that the enforcement mechanisms will impact treatment of previously issued SSL Certificates. Google will set a compliance date and a set of rules which permit some previously issued certificates to comply, but it’s highly unlikely that 3 year certificates without signed certificate timestamps (SCTs) will be compliant. The best way to assure that certificates are processed with the highest level of trust is to include the required number of SCTs in all issued certificates as soon as feasible, especially those with validity longer than 1 year.
GlobalSign and Certificate Transparency
Certificate Transparency is based on the Google-authored experimental RFC 6962 which was published about three years ago. Google is currently the only browser with a CT policy and the only one with an enforcement mechanism. The initial enforcement of the Google Chrome Extended Validation plan happened in May 2015. When Chrome encounters an EV certificate which does not comply with the policy the EV Green bar treatment is removed. In order to have be compliant, the EV certificate:
- Must have been published into a Google CT log prior to 12/31/2014 to be white-listed, or
- If issued after 12/31/2014 it must include the number of SCTs specified by the policy, or
- Chrome must have received the specified number of SCTs via the TLS handshake or OCSP response.
In support of the Google CT policy, GlobalSign white-listed all applicable EV Certificates in 2014 and includes SCTs in EV Certificates since the 1/1/2015 deadline. While we allow our enterprise accounts to opt-out of CT, very few have actually done so.
For well over a year Google has been encouraging CAs to include CT into all of their SSL Certificates as well as encouraging companies to set up CT logs and to create tools to monitor the logs. The number of operational logs has expanded to eight active logs, three from Google and five from other log operators and several others that are in the process of being added or removed.
GlobalSign Plans
Given the past retroactive enforcement mechanisms and the impact they have on website operators and CAs, GlobalSign will be including the number of SCTs specified in the Google CT Policy for all DV Certificates by August 2016 and will be following up with a more comprehensive set of CT options for OV Certificates shortly thereafter.