Google Online Security Blog: Certificate Transparency for Untrusted CAs

Certificate Transparency for Untrusted CAs

٢١ مارس ٢٠١٦

Posted by Martin Smith, Software Engineer, Certificate TransparencyCertificate TransparencyInitially

Those that were once trusted and have since been withdrawn from the root programs.

New CAs that are on the path to inclusion in browser trusted roots.

Including these in trusted logs is problematic for several reasons, including uncertainties around revocation policies and the possibility of cross-signing attacks being attempted by malicious third-parties.

However, visibility of these CAs’ activities is still useful, so we have created a new CT log for these certificates. This log will not be trusted by Chrome, and will provide a public record of certificates that are not accepted by the existing Google-operated logs.

The new log is accessible at ct.googleapis.com/submariner and is listed on our Known Logs page. It has the same API as the existing logs.

Initially, Submariner includes certificates chaining up to the set of root certificates that Symantec recently announced it had discontinued, as well as a collection of additional roots suggested to us that are pending inclusion in Mozilla.

Once Symantec’s affected certificates are no longer trusted by browsers, we will be withdrawing them from the trusted roots accepted by our existing logs (Aviator, Pilot, and Rocketeer).

Third parties are invited to suggest additional roots for potential inclusion in the new log by email to google-ct-logs@googlegroups.com.

Everyone is welcome to make use of the log to submit certificates and query data. We hope it will prove useful and help to improve web security.

ليست هناك تعليقات :

إرسال تعليق

Security Blog

Certificate Transparency for Untrusted CAs

ليست هناك تعليقات :

التسميات

Archive

Feed