Benefits and Advantages

Certificate Transparency offers several benefits that competing technologies do not. These benefits are mainly aimed at certificate authorities, domain owners, and server operators, but they also affect individual users. 

Gradual Rollout

Certificate Transparency does not have to be adopted by every certificate authority (CA) and every TLS client to be useful or effective. The framework is designed to provide a useful service from the very early days of its operation, and to get better as more organizations, browser vendors, and users begin to participate.

Google currently operates a Certificate Transparency log, and we are filling the log with certificates that we retrieve while crawling the web. The log’s base URL is https://ct.googleapis.com/pilot (note that you can’t browse this URL; it doesn’t serve web pages). We are also actively working on monitoring and auditing software, which you can find at https://github.com/google/certificate-transparency.

Also, we are currently working on a version of Chrome that will check for Certificate Transparency SCTs, and we are making changes to our own services so they offer certificates with Certificate Transparency SCTs. Of course, any browser that adopts Certificate Transparency early on won't be able to block connections where no SCTs are offered, and in the early days of Certificate Transparency, almost no servers will offer SCTs. So at some point, Chrome will be updated to display warnings before establishing a secure connection without an SCT. As more CAs and browsers adopt Certificate Transparency, Chrome's default behavior will be modified again so it refuses to connect to any site that doesn't return a valid SCT with a certificate, though users may be able to change this. We hope that other browser vendors will follow a similar path.

The beauty of this system is that it does not need to be adopted by all browsers or users to work. Once an appreciable fraction of Internet users participate in Certificate Transparency, rogue CAs will be easy to detect and remove from all browsers' roots of trust. Certificate Transparency represents a kind of "herd immunity" for the whole Internet: once it's easy to spot cheating CAs, everyone benefits, even those who don't participate in the system.

Minimal Impact to Existing Infrastructure

Another benefit of Certificate Transparency is that it doesn’t require any significant change to a CA’s current business model. CAs will still provide SSL certificates as they have in the past. The only change is that they’ll need to first send the certificates to a few log servers and get a timestamp, which they include with the certificate.

What’s more, in a typical Certificate Transparency configuration, there is no impact on domain owners or server operators: the TLS handshake from the server side is unchanged. However, domain owners now have the ability to monitor their certificates to be sure no other certificates have been issued for their domains or servers.

Note: Some Certificate Transparency configurations require a server modification. See How Certificate Transparency Works for more information.

Expanded Service Offerings for CAs

Certificate Transparency gives CAs the opportunity to provide several new services to their customers. For example, a CA could offer certificate-monitoring services to server operators or domain owners, or it could offer certificate auditing services to TLS clients.

Better Industry Conformance and Oversight

One of the primary benefits of Certificate Transparency is that it makes it easier for CAs to monitor their own certificates and certificate operations. But because the Certificate Transparency framework is open and publicly accessible to anyone, it also lets CAs monitor the operation and behavior of other CAs. This oversight capability helps drive better adherence to standard practices across the industry, and it helps lessen the impact of missteps on the entire Internet. Indeed, incidents that at one time were concealed and downplayed, and in fact caused the shutdown of an entire CA, could be exposed much earlier and mitigated by simply revoking a single certificate.

What makes this possible is the framework’s public auditing and public monitoring features--the “transparency” part of Certificate Transparency. By opening the SSL certificate system to near real-time scrutiny, mistakes and malicious behavior are difficult (if not impossible) to cover up or conceal. In short, the types of problems that required drastic mitigation measured in the past can now be quickly detected and mitigated through simple certificate revocation procedures.

Flexible and Extensible Framework

The Certificate Transparency project is currently focused on strengthening the SSL certificate system. However, some of the principles that drive Certificate Transparency could be used to harden other services, such as notarizing documents or signing software. For example, you could use similar transparency methods to verify that an executable file is indeed meant for widespread distribution and is not a one-off malicious version aimed at a small segment of vulnerable users. In short, Certificate Transparency is a great proving ground for other transparency services that benefit from public monitoring and auditing.