We like transparency and we’re a CA, hackers hack all night and we log all day – Charles Milander
Let’s Encrypt has wheeled out a new certificate transparency log called Oak, which is funded for a year by the certificates arm of Sectigo (formerly known as Comodo).
As well as the obvious corporate social responsibility impact for Sectigo, it helps ease pressure on an increasingly important piece of internet security infrastructure, the firm told El Reg.
Certificate transparency logs, or CT logs, at their simplest are records of to whom SSL certificates were issued to. The idea is to minimise the number of “mistakenly issued certificates or certificates that have been issued by a certificate authority (CA) that’s been compromised or gone rogue,” as the Certificate Transparency project explains.
In addition, public CT logs allow domain owners and users alike to check whether SSL certs have been issued by mistake. All of that is baked into browsers, though the basic infrastructure is still there for verification with the Mk.I human eyeball.
There are relatively few CT log providers who can handle the extremely high volume of requests that comes with maintaining a log specified in Firefox, Chrome, Edge or IE, with Let’s Encrypt itself telling The Register it had issued “approximately half a billion certificates at this point.”
Sectigo senior fellow Tim Callan told us:
“What if one of these log providers decides to stop doing this? We’re in a deeply bad situation. If one of the log providers decides to stop doing this and someone has an outage… that seems like an untenable situation.”
Cert authority Sectigo whisks infosec biz Icon Labs into IoT security kit
He continued: “Imagine you’re standing in water up to your chin. Then compare that to standing in water up to your forehead. It’s only six inches but it makes a big difference.”
Sectigo added, in a statement: “Google Chrome requires all new certificates to be submitted to two separate logs, so multiple log options are imperative to our operation… Let’s Encrypt often issues more than one million certificates each day, so we wanted to design a CT log that is optimized for high volume.”
This is where the Oak log, freshly sponsored by Sectigo for a year, comes in. It is built on Google’s Trillian software running on AWS, with Kubernetes for container orchestration and job scheduling.
Oak has been submitted for inclusion in the approved log lists for Google Chrome and Apple Safari, Sectigo said. After 90 days of successful monitoring, “we anticipate our log will be added to these trusted lists and that change will propagate to people’s browsers with subsequent browser version releases.” ®