Certificate Transparency

(Most recent update: 2016-07-31)

What is certificate transparency?

Certificate transparency is an initiative originally proposed by Google and supported by many of the major certification authorities. The idea is that (eventually) all issued certificates should be logged in publically-available logs, so that organisations and domain owners can monitor whether certificates have been incorrectly issued in, or under, their names, and take appropriate action. The logs are append-only -- that is, once an entry has been made in the log, it cannot later be erased.

Who logs the certificates?

Several CAs -- including Symantec -- are now running their own logs, showing certificates that they have issued; Google also run publically-visible logs which include certificates that they have found while indexing the Web.

What information is logged?

In general, all information forming part of the issued certificate -- its issue and expiry dates, serial number, issuer, the organisation details (if included within the certificate) -- is logged.

The exception to this is the Common Name and any Subject Alternative Names within the certificate -- these are the server name(s) for which the certificate will work. In these cases, it is possible to request that full information is logged, or that redacted information is logged.

Redacted information? Please explain.

In some cases, an organisation may require an SSL certificate for a server within their network where they would rather the server name, or part of the server name, not be known to the outside world. In these cases, they may request that their certificate should be logged with redacted information; instead of logging, for instance,

interestingname.internal.example.com

a certificate with redacted information would have its server name logged as

?.example.com

(Note that redaction also obscures the number of domain parts underneath the root domain -- in this case, example.com.) This redaction is also referred to as "root domain logging" since the root domain is the only part of the name which is logged.

Are there any disadvantages to redacting a name?

Potentially.

If you are buying an Extended Validation certificate, Chrome will disable the green browser bar and all other EV indications if you have requested that your certificate should be logged with redacted information. This obviously loses you the advantage of buying an EV certificate in the first place!

If you are buying an Organisation Validated or Domain Validated certificate, then there will not necessarily be any immediate effect, but Google have warned that future versions of Chrome are likely to show browser warnings when encountering a certificate which has been logged with redacted information. We do not yet have further information about when this might happen or what the warnings will look like.

If you are buying a certificate to secure a server-to-server connection, then it's likely that having that certificate logged with redacted information will make no difference to its functionality; so long as the secured site is never viewed in a browser, its logging status should not be of concern.

What if I change my mind?

It is possible to change the logging status of a certificate by reissuing the certificate and choosing the appropriate logging status at that point. However, note that if you change from logging the full name information to logging only redacted information, the previously-logged certificate information will still remain in the logs and be visible to anyone searching for it; it's not possible to delete a previously-logged certificate from the logs.

Is any other data logged?

No data is logged which does not already form part of the issued certificate. So: no contact details (including email and phone details), no address details, no billing details; none of the information which has been provided to us or to Symantec to enable the processing of the certificate.

But I don't want any of this logged...

Unfortunately as of June 1st 2016, the choice is between "full logging" and "redacted logging", not "log" or "don't log", for all certificates issued by Symantec or one of their sub-brands (Thawte, Geotrust, RapidSSL, QuickSSL). Prior to that, logging was optional.

I could do with some advice.

Happy to help - at least if you bought your original certificate from us, or you are considering buying a new one from us. (If your question relates to an existing certificate that was bought through a different reseller or through Symantec directly, we encourage you to contact them first.) Email thawte@herald.co.uk or call us on 020 8394 2288.