Welcome! Log In Create A New Profile

Re: Certificate Transparency

Forum List Message List New Topic Print View

B.R.

November 11, 2015 09:04AM

It is sad Chrome kind of forces website owners to have Certificate
Transparency available while the whole things is still categorized as
'Experimental' by the IETF to this day:
https://tools.ietf.org/html/rfc6962

.... but that is another debate. If you wanna serve CT certificates from a
non-CT-compliant CA, you will need to serve it through as TLS extension, ie
using a server module.

In the end, it sounds logical that CA implement this mechanism on their
side, through OCSP.
For now, this RFC future is uncertain and the technical oddities this
mechanism oddities it implies (double issuance
https://community.letsencrypt.org/t/will-you-support-certificate-transparency/222/11,
for example) might make CAs relunctant to rush, and it is perfectly
understandable.

If you support Chrome's vision and Google's wish to force the way of this
RFC, go for a compliant CA or use a custom module.
---
*B. R.*

On Wed, Nov 11, 2015 at 12:11 PM, Rob Stradling <rob.stradling@comodo.com>
wrote:

> On 11/11/15 11:03, locojohn wrote:
>
>> Joó Ádám Wrote:
>> -------------------------------------------------------
>>
>> The TLS extension is the only method to implement Certificate
>>> Transparency without the assistance of the CA, and starting with
>>> January 1 2015 Chrome refuses to display the green bar for EV
>>> certificates without Certificate Transparency.
>>>
>>> StartSSL is one CA that currently does not support other methods,
>>> which means a lot of sites suffers from this.
>>>
>>
>> Interesting, we have installed multi-domain EV certificates from StartSSL
>> for our company and we use Nginx, and EV green bar works in all modern and
>> even not so modern browsers:
>>
>> https://www.ahlers.com
>>
>
> In Chrome 46, I see "https:" in green but I don't see the "EV green bar"
> that shows the Subject Organization Name. That's because...
>
> I presume Certificate Transparency is not required then?
>>
>
> ...CT _is_ required if you want to see the EV green bar in recent versions
> of Chrome.
>
> Best regards,
>> Andrejs
>>
>
> --
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online
>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
Certificate Transparency	Joó Ádám	November 08, 2015 10:18AM
Re: Certificate Transparency	Maxim Dounin	November 09, 2015 08:22AM
Re: Certificate Transparency	Joó Ádám	November 09, 2015 11:16AM
Re: Certificate Transparency	locojohn	November 11, 2015 06:03AM
Re: Certificate Transparency	Rob Stradling	November 11, 2015 06:12AM
Re: Certificate Transparency	B.R.	November 11, 2015 09:04AM
Re: Certificate Transparency	Rob Stradling	November 11, 2015 09:28AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 308

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018