Let’s Encrypt has wheeled out a new cer­tifi­cate trans­paren­cy log called Oak, which is fund­ed for a year by the cer­tifi­cates arm of Secti­go (for­mer­ly known as Como­do).

As well as the obvi­ous cor­po­rate social respon­si­bil­i­ty impact for Secti­go, it helps ease pres­sure on an increas­ing­ly impor­tant piece of inter­net secu­ri­ty infra­struc­ture, the firm told El Reg.

Cer­tifi­cate trans­paren­cy logs, or CT logs, at their sim­plest are records of to whom SSL cer­tifi­cates were issued to. The idea is to min­imise the num­ber of “mis­tak­en­ly issued cer­tifi­cates or cer­tifi­cates that have been issued by a cer­tifi­cate author­i­ty (CA) that’s been com­pro­mised or gone rogue,” as the Cer­tifi­cate Trans­paren­cy project explains.

In addi­tion, pub­lic CT logs allow domain own­ers and users alike to check whether SSL certs have been issued by mis­take. All of that is baked into browsers, though the basic infra­struc­ture is still there for ver­i­fi­ca­tion with the Mk.I human eye­ball.

There are rel­a­tive­ly few CT log providers who can han­dle the extreme­ly high vol­ume of requests that comes with main­tain­ing a log spec­i­fied in Fire­fox, Chrome, Edge or IE, with Let’s Encrypt itself telling The Reg­is­ter it had issued “approx­i­mate­ly half a bil­lion cer­tifi­cates at this point.”

Secti­go senior fel­low Tim Callan told us:

“What if one of these log providers decides to stop doing this? We’re in a deeply bad sit­u­a­tion. If one of the log providers decides to stop doing this and some­one has an out­age… that seems like an unten­able sit­u­a­tion.”


Cert authority Sectigo whisks infosec biz Icon Labs into IoT security kit


He con­tin­ued: “Imag­ine you’re stand­ing in water up to your chin. Then com­pare that to stand­ing in water up to your fore­head. It’s only six inch­es but it makes a big dif­fer­ence.”

Secti­go added, in a state­ment: “Google Chrome requires all new cer­tifi­cates to be sub­mit­ted to two sep­a­rate logs, so mul­ti­ple log options are imper­a­tive to our oper­a­tion… Let’s Encrypt often issues more than one mil­lion cer­tifi­cates each day, so we want­ed to design a CT log that is opti­mized for high vol­ume.”

This is where the Oak log, fresh­ly spon­sored by Secti­go for a year, comes in. It is built on Google’s Tril­lian soft­ware run­ning on AWS, with Kuber­netes for con­tain­er orches­tra­tion and job sched­ul­ing.

Oak has been sub­mit­ted for inclu­sion in the approved log lists for Google Chrome and Apple Safari, Secti­go said. After 90 days of suc­cess­ful mon­i­tor­ing, “we antic­i­pate our log will be added to these trust­ed lists and that change will prop­a­gate to people’s browsers with sub­se­quent brows­er ver­sion releas­es.” ®