Certificate Transparency in Chrome - Change to Enforcement Date
Ryan Sleevi
TL;DR: We’re updating our proposed Certificate Transparency enforcement timeline in order to better support other browsers.
On October 24, 2016, the Chrome team announced our desire to require Certificate Transparency for all newly issued publicly trusted certificates. The announcement was made in https://groups.google.com/a/chromium.org/d/msg/ct-policy/78N3SMcqUGw/ykIwHXuqAQAJ , and at the CA/Browser Forum. As indicated in both announcements, we wanted to understand specific and actionable concerns regarding that plan, to help minimize disruption on the path to making the Web PKI more secure and reliable, by bringing transparency and accountability for Certificate Authorities (CAs).
In the months that followed our announcement, we sought and received excellent feedback from a variety of organizations: enterprises, certificate authorities, other browsers, and developers within the web server and CA ecosystem.
In February we hosted a two-day CT conference. Fifty-five people attended from log operators, CDN operators, CA software vendors, CAs, browser vendors, academic institutions, and even folks working on the US Government’s PKI. The discussions covered a variety of topics related to the CA ecosystem, as shown by the agenda, and highlighted a number of opportunities to improve the current Chrome policies and the ecosystem.
As other browser vendors rapidly progress on Certificate Transparency support within their products, they are more comprehensively evaluating their goals with Certificate Transparency, and we now have greater opportunities to work on interoperable solutions.
The IETF has made good progress in the past several months regarding RFC 6962-bis, the Standards-track document update for RFC 6962. In particular, the many contributions from Mozilla engineers have made Certificate Transparency more scalable and easier to deploy.
In the past few months, we’ve seen the introduction of additional logs with liberal acceptance policies, and we’ve heard from several organizations interested in operating logs in the near future.
We’ve been making excellent progress towards our goal of robust Certificate Transparency deployment for all publicly trusted certificates -- and we also have new opportunities to improve Certificate Transparency and Chrome to better serve the Internet ecosystem. I’m pleased to announce that we’ll be moving forward with our plan to require Certificate Transparency for all newly issued, publicly trusted certificates starting in April 2018.
With an additional six months beyond our original target date, we hope to see a deployment that:
Helps protect other browsers’ users in addition to Chrome’s users.
Addresses the concerns of log operators to encourage more robust and scalable logs.
Allows additional time for server developers to add exciting new features to make the transition go more smoothly and provide greater protections.
Ensures enterprises have the necessary controls to flexibly and efficiently manage their organization’s certificates.
With even greater interest from the ecosystem, we’ve also been considering how to improve collaboration and communication beyond the existing ct-p...@chromium.org mailing list. To this end, we’ve moved the draft versions of the "Certificate Transparency in Chrome" policy and the "Certificate Transparency Log Policy" to GitHub at https://github.com/GoogleChrome/ct-policy, mirroring the successful collaboration approach seen in WHATWG, W3C, and with other browsers. This will hopefully afford greater flexibility to making, responding, and tracking changes to the policies over the coming months, as we move to ubiquitous CT.
