Posted Balancing Certificate Transparency and Privacy on Blog
In my last blog post, I shared that Symantec will have support for Certificate Transparency fully deployed across all of our products and customer-facing experiences in the next few weeks.
Certificate Transparency (CT) can help organizations monitor what active SSL/TLS certificates exist for the domains they own – and for many customers and use cases, the current implementation of CT works well. However, in cases where certificates are deployed for internal-only applications, some customers prefer to keep the information for their certificates private (particularly sub-domain information). For example, while a customer may be fine with publishing certificate information publicly for “support.mycompany.com”, that same customer may understandably object to logging “top-secret-project.mycompany.com”. Today, the current Certificate Transparency specification RFC 6962 does not address these privacy concerns or use cases.
To handle these practical customer use cases, Symantec’s current implementation of CT logs all certificates by default but provides an option for customers to “opt out” of logging certificates. This approach is clearly not optimal because it creates a gap where all certificates may not be logged – however this is presently the most effective way to address customers’ privacy concerns within the limitations of the current Certificate Transparency specification.
Currently, the Internet Engineering Task Force is working on the next version of the Certificate Transparency specification — RFC 6962-bis. This new version will allow for sub-domain information to be redacted from CT logging. Using the case above, a customer will be able to have their certificate for “top-secret-project.mycompany.com” logged as “?.mycompany.com”. This approach will enable companies to address their privacy concerns while ensuring that all of their certificates are being logged and monitored.
Symantec supports name redaction as the best way to address both transparency and privacy and we intend to implement the new specification as soon as it is finalized.
Learn more about our support for Certificate Transparency here.
Mar 07 2018, 9:10 AM
Posted Expanded Certificate Transparency Support on Blog
Today, Symantec announced it is expanding support for Certificate Transparency to all SSL/TLS certificate types and customer channels, a key piece of the puzzle in providing customers globally with strong certificate management capabilities.
Certificate Transparency (CT) is an open framework that was created to help organizations get a comprehensive view of what active certificates exist for domains that they own. It’s critical that organizations have a clear and complete view of these certificates to enable straightforward policy enforcement and to be able to quickly respond to threats like man-in-the-middle attacks.
As announced previously, we first added support for Certificate Transparency to all Symantec, Thawte, and GeoTrust Extended Validation (EV) certificate offerings in December 2014. As a next step in CT, we have now expanded support to our Organization Validation (OV) products under each of these brands and will be adding support for all of our Domain Validated (DV) products in late February 2016. CT Support will be rolled out in its entirety by mid-March when it will also be added to our Japan-specific platforms.
For Certificate Transparency to be truly effective, logging of certificates needs to be done by all Certification Authorities (CAs) for all publicly-trusted certificates. Symantec has started the dialog with the other key players in the SSL/TLS ecosystem to make CT support a requirement of the CA/Browser Forum Baseline Requirements. Further, to increase the adoption of Certificate Transparency and to make it easier for other CAs to support CT, Symantec now allows third party CAs to log their SSL/TLS certificates to Symantec’s CT servers as well.
Symantec is focused on continually strengthening certificate management and controls for our customers and within the SSL/TLS certificate ecosystem. Learn more about these latest improvements in Certificate Transparency.
Mar 07 2018, 9:10 AM