public certificates issued by public CA are mandated to log the certificate info into CT logs?
469 views
Skip to first unread message
John
Jul 28, 2024, 9:05:54 AM7/28/24
to certificate-transparency
Hi there,
Can I check if all public certificates issued by public CA are mandated to log the certificate info into CT logs? In what circumstance could a public cert missed out in the CT logs?
May I know any documentation enforce such mandate?
Thanks.
John.
Matt Palmer
Jul 29, 2024, 2:46:54 AM7/29/24
to certificate-...@googlegroups.com
On Sun, Jul 28, 2024 at 12:24:10AM -0700, John wrote:
> Can I check if all public certificates issued by public CA are mandated to
> log the certificate info into CT logs? In what circumstance could a public
> cert missed out in the CT logs?
There is no mandate that "public certificates" are logged, because the
> Can I check if all public certificates issued by public CA are mandated to
> log the certificate info into CT logs? In what circumstance could a public
> cert missed out in the CT logs?
term "public certificate" is not well-defined.
However, there are two browsers (to my knowledge) which require that any
certificate issued by the set of CAs trusted by default in those
browsers present proof that the end-entity certificate presented in a
TLS connection has been logged in a recognised CT log, by providing an
SCT during the TLS connection setup. Those browsers are Chrome and
Safari.
> May I know any documentation enforce such mandate?
for "<browser> certificate transparency log policy" in the search engine
of your choice.
- Matt
Matthew McPherrin
Jul 29, 2024, 4:08:36 PM7/29/24
to certificate-...@googlegroups.com
In particular: There are generally[1] no compliance obligations to log certificates to CT.
Enforcement of certificates appearing in CT is purely technical, enforced by the browser's code, not policy.
If a CA doesn't log a certificate to CT, then users can still be in compliance with the browser's requirements to include SCTs by submitting them and including the SCTs in a TLS extension, instead of in the certificate itself.
1: Let's Encrypt actually says in our CP/CPS that we will publish to CT, so that is an obligation per https://letsencrypt.org/documents/isrg-cp-cps-v5.1/#4.4.2-publication-of-the-certificate-by-the-ca
--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/5e3589e0-ef20-4de8-a6c2-47ba3ffdc097%40mtasv.net.
Reply all
Reply to author
Forward
0 new messages