On 11/11/15 14:02, B.R. wrote:
It is sad Chrome kind of forces website owners to have Certificate
Transparency available while the whole things is still categorized as
'Experimental' by the IETF to this day:
https://tools.ietf.org/html/rfc6962
... but that is another debate. If you wanna serve CT certificates from
a non-CT-compliant CA, you will need to serve it through as TLS
extension, ie using a server module.
In the end, it sounds logical that CA implement this mechanism on their
side, through OCSP.
Indeed it does (and I'm very glad I pushed for this feature to be
included in RFC6962 :-) ).
If you have a cert from Comodo, we can embed SCTs in OCSP Responses for
you today. Just ask. :-)
(IIRC, DigiCert can do this too. I don't know about any other CAs).
For now, this RFC future is uncertain and the technical oddities this
mechanism oddities it implies (double issuance
<https://community.letsencrypt.org/t/will-you-support-certificate-transparency/222/11>,
for example) might make CAs relunctant to rush, and it is perfectly
understandable.
Google have consistently said that they intend to require CT for all (EV
and non-EV) TLS server certificates eventually.
Given that Google are "going to require that as of June 1st, 2016, all
certificates issued by Symantec itself will be required to support
Certificate Transparency" [1], it seems that "eventually" might not be
that far away.
BTW, note that over at the IETF we're working on the next version of CT [2].
[1]
https://googleonlinesecurity.blogspot.co.uk/2015/10/sustaining-digital-certificate-security.html
[2] https://datatracker.ietf.org/doc/draft-ietf-trans-rfc6962-bis/
If you support Chrome's vision and Google's wish to force the way of
this RFC, go for a compliant CA or use a custom module.
---
*B. R.*
On Wed, Nov 11, 2015 at 12:11 PM, Rob Stradling
<[email protected] <mailto:[email protected]>> wrote:
On 11/11/15 11:03, locojohn wrote:
Joó Ádám Wrote:
-------------------------------------------------------
The TLS extension is the only method to implement Certificate
Transparency without the assistance of the CA, and starting with
January 1 2015 Chrome refuses to display the green bar for EV
certificates without Certificate Transparency.
StartSSL is one CA that currently does not support other
methods,
which means a lot of sites suffers from this.
Interesting, we have installed multi-domain EV certificates from
StartSSL
for our company and we use Nginx, and EV green bar works in all
modern and
even not so modern browsers:
https://www.ahlers.com
In Chrome 46, I see "https:" in green but I don't see the "EV green
bar" that shows the Subject Organization Name. That's because...
I presume Certificate Transparency is not required then?
...CT _is_ required if you want to see the EV green bar in recent
versions of Chrome.
Best regards,
Andrejs
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
nginx mailing list
[email protected] <mailto:[email protected]>
http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ
This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.
_______________________________________________
nginx mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx
