[Note: This is cross-posted. The best venue for follow-up questions is the public mailing list at ct-p...@chromium.org
or the post at https://groups.google.com/a/chromium.org/d/msg/ct-policy/78N3SMcqUGw/ykIwHXuqAQAJ
[Note: Posting wearing my Chrome hat. None of this reflects Mozilla policy, but is useful for the Mozilla community to be aware of]
This past week at the 39th meeting of the CA/Browser Forum, the Chrome team announced plans that publicly trusted website certificates issued in October 2017 or later will be expected to comply with Chrome’s Certificate Transparency policy in order to be trusted by Chrome.
The Chrome Team believes that the Certificate Transparency ecosystem has advanced sufficiently that October 2017 is an achievable and realistic goal for this requirement.
This is a significant step forward in the online trust ecosystem. The investments made by CAs adopting CT, and Chrome requiring it in some cases, have already paid tremendous dividends in providing a more secure and trustworthy Internet. The use of Certificate Transparency has profoundly altered how browsers, site owners, and relying parties are able to detect and respond to misissuance, and importantly, gives new tools to mitigate the damage caused when a CA no longer complies with community expectations and browser programs.
While the benefits of CT are clear, we recognize that some CAs, browsers, or site operators may have use cases they feel are not fully addressed by Certificate Transparency, and so may have concerns over the October 2017 date. We encourage anyone who feels this way to bring their concerns to the IETF’s Public Notary Transparency WG (TRANS) so that these use cases can be discussed and cataloged. The information for this WG, and the documents it works on, is available at https://datatracker.ietf.org/wg/trans/charter/
Although the date is a year away, we encourage any participants that wish to have their use cases addressed to bring them forward as soon as possible during the next three months. This will ensure that the IETF, the CA/Browser Forum, and the broader community at large have ample time to discuss the challenges that may be faced, and find appropriate solutions for them. Such solutions may be though technical changes via the IETF or via policy means such as through the CA/Browser Forum or individual browsers’ root program requirements.
We will continue outreach to CAs in trust stores used by Chrome to ensure that they are prepared and that there is minimal user disruption.
To further support these investments in Certificate Transparency, the Chrome team will be discussing a proposed new HTTP header at next month’s IETF meeting that would allow sites to opt-in to having CT requirements enforced in advance of this deadline.
Similarly, we welcome and encourage all CAs to voluntarily request that browsers enforce CT logging of their new certificates before this deadline. Doing so enhances CT's ability to protect users, detect misissuance, and in the unfortunate event that misissuance does occur, to confirm the scope of misissuance. This may allow browsers to take more targeted steps to remediate the problem than otherwise possible, thus minimizing any negative impact to their users.