Difference between revisions of "Certificate Transparency"
From MgmtWiki
(→References) |
(→Qualified Web Authentication Certificates (QWAC)) |
||
| (7 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
==Full Title or Meme== | ==Full Title or Meme== | ||
| − | A method introduced by Google to allow any browser to check the security of any | + | A method introduced by Google to allow any browser to check the security of any [[Web Site]]. |
==Context== | ==Context== | ||
| + | |||
| + | [https://datatracker.ietf.org/doc/html/draft-housley-web-pki-problems-00#section-5.4 Certificate Transparency] Housley 2016-07 | ||
| + | |||
| + | Certificate Transparency [RFC6962] offers a mechanism to detect misissued certificates, and once detected, administrators and CAs can take the necessary actions to revoke the mis-issued certificates. | ||
| + | |||
| + | When requesting a certificate, the administrator can request the CA to include an embedded Signed Certificate Timestamp (SCT) in the certificate to ensure that their legitimate certificate is logged with one or more Certificate Transparency (CT) log. | ||
| + | |||
| + | In the future, a browser may choose to reject certificates without an SCT, and potentially notify the website administrator or CA when they encounter such a certificate. This reporting will help detect misissuance of certificates and lead to their revocation. | ||
| + | |||
| + | A administrator, or another party acting on behalf of the administrator, is able to monitor one or more CT log to which a pre-certificate or certificate is submitted, and detect the logging of a pre-certificate or certificate that contains their domain name. When such a pre-certificate or certificate is detected, the CA can be contacted to to get the mis-issued certificate revoked. | ||
| + | |||
| + | ==Solutions== | ||
| + | * [https://transparency.dev/articles/logs-a-verifiable-transport-layer/ Transparency Logs: A Verifiable Transport Layer] | ||
| + | ==Qualified Web Authentication Certificates (QWAC)== | ||
| + | Proposed changes to Article 45 of eIDAS2 propose compelling web browsers to support QWACs and to provide meaningful user interface to display information about a website operator’s identity to users.<ref>Stephen Davidon '''' DigiCert (2023-10-24) https://www.linkedin.com/pulse/qualified-certificate-transparency-stephen-davidson-k3p8e/?trackingId=Yws%2BXtKJRgOeBcKB47dLnw%3D%3D</ref> | ||
==References== | ==References== | ||
| Line 11: | Line 26: | ||
[[Category: Trust]] | [[Category: Trust]] | ||
| + | [[Category: Certificate]] | ||
Latest revision as of 13:17, 8 December 2023
Contents
Full Title or Meme
A method introduced by Google to allow any browser to check the security of any Web Site.
Context
Certificate Transparency Housley 2016-07
Certificate Transparency [RFC6962] offers a mechanism to detect misissued certificates, and once detected, administrators and CAs can take the necessary actions to revoke the mis-issued certificates.
When requesting a certificate, the administrator can request the CA to include an embedded Signed Certificate Timestamp (SCT) in the certificate to ensure that their legitimate certificate is logged with one or more Certificate Transparency (CT) log.
In the future, a browser may choose to reject certificates without an SCT, and potentially notify the website administrator or CA when they encounter such a certificate. This reporting will help detect misissuance of certificates and lead to their revocation.
A administrator, or another party acting on behalf of the administrator, is able to monitor one or more CT log to which a pre-certificate or certificate is submitted, and detect the logging of a pre-certificate or certificate that contains their domain name. When such a pre-certificate or certificate is detected, the CA can be contacted to to get the mis-issued certificate revoked.
Solutions
Qualified Web Authentication Certificates (QWAC)
Proposed changes to Article 45 of eIDAS2 propose compelling web browsers to support QWACs and to provide meaningful user interface to display information about a website operator’s identity to users.[1]
References
- ↑ Stephen Davidon ' DigiCert (2023-10-24) https://www.linkedin.com/pulse/qualified-certificate-transparency-stephen-davidson-k3p8e/?trackingId=Yws%2BXtKJRgOeBcKB47dLnw%3D%3D
Other Material
- See wiki page on Transparency.
