What happened at CT days 2020?

New community website

You might be familiar with the current CT website. It is a little bit like an explosion of technical details and links from several years back that, if you digest it all, tell you how Google’s CT project works. This is not particularly welcoming for newcomers that need to grasp what CT is today and how it fits into the broader picture of the web’s public-key infrastructure. For example, CT is no longer Google’s own logging project, but rather an ecosystem of different people and organizations that come together with one mission: to detect maliciously or mistakenly issued certificates. This happens to be the first thing you will find when browsing the new community website. It is nifty looking, and I encourage you to browse it yourself. You will notice that the origin story of CT and its broader context is described, which helps the reader pick up the fundamentals from a combination of text and visualizations.

source: https://certificate.transparency.dev/

Policy updates

I can second that it is not always easy to understand every nuance of CT enforcement by different user agents. For example, I remember filing a bug not too long ago when noticing that Chromium (not to be confused with Google Chrome) disabled CT by default. In the future there might be a separate and lighter-weight Chromium CT policy that embedders could use as a starting point, but for now Google’s policy will be shaped solely for Chrome. This is reflected by the new CT policy website that is being drafted: the so-called Chrome Certificate Transparency Policy. Devon O’Brien appropriately described it as a complete overhaul of what the current policy states and how these requirements are framed specifically for enforcement in Chrome.

Removing the one-Google log requirement?

Google Chrome currently considers a certificate CT compliant if it is accompanied by two SCTs. One of these SCTs must additionally be issued by a log that Google runs. If Google’s CT logs are operated in good faith, we can be sure that there are no mis-issued certificates that go unnoticed.

  1. Functionality. Does it work and in what threat model?
  2. Privacy. What information do which parties learn?
  3. Client-side performance. Bandwidth, computation, and storage?
  4. Latency. How much is added, if any?
  5. Server-side infrastructure costs. What needs to be changed or added?
  6. Threat model. Mainly in terms of which parties need to trust each other.
  7. Non-Google deployability. Can it be deployed without Google-scale?
  8. Near-term deployability. Can we roll it out sooner rather than later?

Acknowledgments

Thanks to everyone that contributed to CT days 2020, both in terms of organization and putting in the actual work that the different sessions presented. A detailed summary and follow-up discussion might appear on the CT policy list. Fredrik Strömberg provided valuable feedback on this story, which is sponsored by my System Transparency employment at Mullvad VPN.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rasmus Dahlberg

Rasmus Dahlberg

PhD student at Karlstad University, Sweden. Into things like transparency logging, the web’s public-key infrastructure, and privacy-enhancing technologies.