TLS Certificate Transparency logs let us assess Certificate Authorities

October 10, 2021

I was recently reading Scott Helme's The Complexities of Chain Building and CA Infrastructure (it's part of a series from last year on the impending doom of expiring root CAs, which was linked to by Helme's Let's Encrypt Root Expiration - Post-Mortem). In it Helme mentioned something that previously hadn't consciously struck me about the modern Certificate Transparency environment. I'll just quote Helme here:

Who are the biggest CAs out there?

A few years ago that was probably a really hard question to answer. You might have to ask every CA what their issuance volume was and then compare them all to each other, hoping they weren't presenting figures in creative ways. Today though, we have a very easy way of determining this, Certificate Transparency. [...]

Simplifying slightly, all significant Certificate Authorities have had to log the TLS certificate they issue into Certificate Transparency logs for some time. Chrome has required this since May 2018, and since all fully valid TLS certificates have had a maximum validity of slightly over a year for a while, all still valid TLS certificates had better be in Certificate Transparency logs. As Scott Helme says, this means that we can count CA activity by looking at CT logs for what TLS certificates they've issued. We can do this for all of their TLS certificates, or just those with some characteristics (such as being in a specific TLD).

(There are some complexities in practice, but they can be solved with work.)

This matters for more than just a CA popularity count. One of the eternal arguments around either changing the rules for TLS certificates and CAs, or dealing with an issue with a CA, is how many people and TLS certificates will be affected. In the past traditionally there were all sorts of arguments and back and forth numbers and so on (from browsers, from CAs, etc). Today, for many questions we can go out and measure through the CT logs to count at least how many TLS certificates would be affected. How many TLS certificates would be affected is not the same thing as how much traffic or how many people would be affected, of course. But it's a start, which is more than we used to have to work with in the open.

PS: One use for this that I've already seen in past incidents is for third parties to check a CA's claims of how many of their TLS certificates have some mistake. Generally the answer is 'more than the CA initially reported', although probably my sample is biased because if people just confirm the CA's numbers they may not say anything.

Written on 10 October 2021.
« V7 Unix had no stack size limit, and when Unix acquired one
Unknown NMIs and counting hardware CPU events in eBPF programs »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Oct 10 23:26:27 2021
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.