Upcoming Support for Google Chrome


#1

It looks as though Google Chrome will require all publicly trusted certificates to be submitted to at least two Certificate Transparency logs beginning on April 30, 2018. I see that Let’s Encrypt adds entries to https://crt.sh, but wonder whether there are plans for it to automatically add entries to a second log as well as per Chrome’s upcoming requirement.

Thanks in advance for your guidance!

Kind regards,
Ben


#2

Let’s Encrypt does log to multiple logs. For example, here’s a cert I accidentally issued yesterday:

https://crt.sh/?id=341722010

It was simultaneously logged to Cloudflare Nimbus, Google Argon and Google Icarus.

Some CT logs reflect updates more quickly than others, so a crt.sh page for a certificate issued within the last couple hours may be misleading.

https://crt.sh/monitored-logs

I believe Let’s Encrypt also sometimes uses some of the other high volume logs.

More than just logging certificates, Chrome will require that websites prove their certificates were logged, through one of three mechanisms:

  • Including SCTs in the certificate, which requires changes to the CA’s certificate creation code.
  • Using OCSP stapling and including SCTs in the OCSP response, which requires OCSP stapling support in the web server, and changes to the CA’s OCSP code.
  • Including SCTs in a TLS extension, which requires changes to the web server.

Let’s Encrypt intends to comply with the Chrome policy by the time it is necessary, 2 months and 3 days from now. They plan to implement the first option, including SCTs in certificates, and the requisite changes are in development.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.