[Google Chrome] Announcement: Requiring Certificate Transparency in 2017


that publicly trusted website certificates issued in October 2017 or later will be expected to comply with Chrome’s Certificate Transparency policy in order to be trusted by Chrome

Does Let's Encrypt has plans to comply with that new policy?

For history :



It kind of looks like Let’s Encrypt is seeing these as two different options it could pick, but I hope they end up supporting both. Embedded SCTs is trickier to arrange, but is super-super easy for subscribers, because you get a certificate just like before and it just works. Nothing new to learn, let alone changes to configuration.

OCSP+SCT is a good option though because it gives you better flexibility in the face of log distrust. The embedded SCTs in an X.509 certificate can’t be changed until the certificate is renewed, but OCSP responses can change in days. When Google occasionally has to distrust a log, this minimises disruption. On the downside, lots of Unix server software is crap at OCSP and either doesn’t do it at all, or doesn’t work well by default. So not very friendly for average users.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.