(posted to [email protected], [email protected]
and [email protected])
Hi CT watchers,
We wanted to put an update out to summarize what the Certificate
Transparency team at Google is working on as well as other efforts in
the space that we are aware of. There are lots of other great
contributions taking place from other organizations and individuals so
we apologize for anything that we've missed and we'd also love to hear
more about them.
Standards work
==============
Achievements:
- Work continues on RFC6962-bis. Version 8 of the draft was published in
July [1].
- IETF 93 was held in Prague in July, and the following CT presentations
took place:
- "trans" issues update [2] - Eran Messeri
- CT Attack Model [3] - Steve Kent
- draft-linus-trans-gossip-ct [4] - Daniel Kahn Gillmor and Linus
Nordberg
- CT for Binary Code [5] - Dacheng Zhang and Daniel Kahn Gillmor
- Selective Logs [6] - Rich Salz
- New version of Gossip Internet Draft published in July [7].
Lookahead:
- We're very interested in exploring how we make it viable for a
site-owner to be able to opt-in to requiring CT, ahead of any general
browser-enforced deadlines. We would welcome participation in helping
define what this might look like in a manner that would work well for
both browsers and site-owners.
[1] https://tools.ietf.org/html/draft-ietf-trans-rfc6962-bis-08
[2] https://www.ietf.org/proceedings/93/slides/slides-93-trans-3.pdf
[3] https://www.ietf.org/proceedings/93/slides/slides-93-trans-0.pdf
[4] https://www.ietf.org/proceedings/93/slides/slides-93-trans-2.pdf
[5] https://www.ietf.org/proceedings/93/slides/slides-93-trans-1.pdf
[6] https://www.ietf.org/proceedings/93/slides/slides-93-trans-4.pdf
[7] https://tools.ietf.org/html/draft-linus-trans-gossip-ct-02
Log servers
===========
Achievements:
- Symantec's log successfully completed compliance testing in August and
the process has begun to move this into Chrome's trusted logs store
[1].
- Testing is underway for one other log server implementation, Venafi.
- Design doc published for Google's open source log server [2].
- README updated with Quickstart instructions for building Google's open
source log server [3].
Lookahead:
- Google is planning to update the open-source implementation to track
the changes made in RFC6962-bis.
[1] http://www.certificate-transparency.org/known-logs
[2]
https://github.com/google/certificate-transparency/blob/master/docs/DesignDoc.md
[3] https://github.com/google/certificate-transparency/blob/master/README.md
Client implementations
======================
Achievements:
- Apple's new App Transport Security for iOS 9 and Mac OS X 10.11
includes support for Certificate Transparency [1], although we're not
sure exactly what it does yet. Does anyone reading this have details to
share?
- Chrome 41, released in March of this year, began enforcing the CT
requirement for all EV certificates issued after 1 Jan 2015.
Lookahead:
- Google is working with the Mozilla Foundation and a contractor to
build a patch to contribute to Firefox to provide Certificate
Transparency support in Firefox.
- Google is planning to launch a set of DNS servers to be able to handle
inclusion proof checking over DNS. The primary motivation for doing so
is so that a client (such as Chrome, or other browsers that wish to
use this) can perform inclusion proof checks without directly
revealing the browsing history of the user to any new parties,
including Google. The intent is that the client will receive an
inclusion proof by performing a DNS lookup for a TXT record for a
specially crafted hostname, via the user's existing DNS resolver
(typically an ISP) which in turn will resurse to eventually service
the request from a Google DNS server. In this manner the client is
only revealing the leaf hashes they see (and thus the sites they
visit) to their existing DNS resolver, which already (in practically
all cases) has just serviced a DNS request for that same site and thus
already knows their browsing history.
- Google is building out log mirrors for all logs included by Chrome,
and the intent is that read-only requests from Chrome (for STHes, or
inclusion-proofs (via the DNS mechanism above)) will be serviced by a
log mirror, rather than the underlying logs.
- Google is building out Chrome support to include STH fetching, and to
use the DNS inclusion proof method outlined above. We intend to
provide more information (including protocol details) as we make
progress.
- Google is working with the OpenSSL community on adding experimental
support into OpenSSL client for retrieving and validating all SCTs
associated with a TLS connection [2].
[1]
https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security-Technote/
[2]
https://github.com/aeijdenberg/openssl/blob/add_get_peer_scts/crypto/ct/README.md
Server implementations
======================
Achievements:
- haproxy [1], nginx [2] and Apache [3] support serving SCTs via TLS
extensions (thanks to Janusz Dziemidowicz, Graham Edgecombe and Jeff
Trawick respectively).
- New section added to Certificate Transparency site to demonstrate how
to use these [4].
- (Apologies this is so specific to Google, but this was a big effort
due to the scale of the organization/infrastructure) Google.com
properties are now serving SCTs via the TLS Extension.
Lookahead:
- Google is looking at how to add SCT support to QUIC protocol, which is
used to communicate between Chrome and many Google properties.
[1] https://cbonte.github.io/haproxy-dconv/configuration-1.6.html#5.1-crt
[2] https://github.com/grahamedgecombe/nginx-ct
[3] https://httpd.apache.org/docs/trunk/mod/mod_ssl_ct.html
[4] http://www.certificate-transparency.org/resources-for-site-owners
Monitors
========
Achievements:
- Both DigiCert [1] and Comodo [2] have implemented log monitors
allowing interested parties to view certificates that are issued for
a domain.
- Matt Palmer released an open-source Ruby framework for building your
own monitor [3].
Lookahead:
- Google is also looking at adding a way to allow interested parties to
search for and view certificates found in CT logs.
- Comodo is planning to release their monitor as open-source.
[1] https://www.digicert.com/certificate-monitoring/
[2] https://crt.sh/
[3] https://github.com/tobermorytech/certificate-transparency-monitor
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
