Balancing Certificate Transparency and Privacy

Created on Feb 18 2016, 6:37 PM by Michael Klieman

In my last blog post, I shared that Symantec will have support for Certificate Transparency fully deployed across all of our products and customer-facing experiences in the next few weeks. 

Certificate Transparency (CT) can help organizations monitor what active SSL/TLS certificates exist for the domains they own – and for many customers and use cases, the current implementation of CT works well. However, in cases where certificates are deployed for internal-only applications, some customers prefer to keep the information for their certificates private (particularly sub-domain information). For example, while a customer may be fine with publishing certificate information publicly for “support.mycompany.com”, that same customer may understandably object to logging “top-secret-project.mycompany.com”. Today, the current Certificate Transparency specification RFC 6962 does not address these privacy concerns or use cases. 

To handle these practical customer use cases, Symantec’s current implementation of CT logs all certificates by default but provides an option for customers to “opt out” of logging certificates. This approach is clearly not optimal because it creates a gap where all certificates may not be logged – however this is presently the most effective way to address customers’ privacy concerns within the limitations of the current Certificate Transparency specification. 

Currently, the Internet Engineering Task Force is working on the next version of the Certificate Transparency specification — RFC 6962-bis. This new version will allow for sub-domain information to be redacted from CT logging. Using the case above, a customer will be able to have their certificate for “top-secret-project.mycompany.com” logged as “?.mycompany.com”. This approach will enable companies to address their privacy concerns while ensuring that all of their certificates are being logged and monitored. 

Symantec supports name redaction as the best way to address both transparency and privacy and we intend to implement the new specification as soon as it is finalized. 

Learn more about our support for Certificate Transparency here.

  • Products
  • DigiCert Code Signing
  • Thought Leadership
  • Certificate Transparency
  • Symantec Website Security