Chris Siebenmann has written a short blog piece that reflects on the trend to see Certificate Transparency (CT) as the answer to ‘the problem’; the problem being how to tell if a validly signed and current certificate has somehow had to be repudiated.
In his brief piece called TLS Certificate Transparency logs don’t always talk to you, Chris points out that the reason people love CT is because of the belief it is scaling out well and has immediacy compared to Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) checks.
Well, Chris has news for you: Those ‘old’, ‘slow’, and ‘broken’ methods you don’t like are only relatively worse than CT. It is by no means guaranteed that a given HTTP-backed CT service will be responsive, or even alive, and he’s noting that the service guarantees here for CT are mostly fictional.
It’s the usual theory/practice problem: CT is only reliable in theory. In practice, nothing is 100% reliable these days, and you need to design robust systems to cope with something that needs updating or replacing.
CT isn’t the answer to ‘the problem’ in an absolute sense. Maybe it’s better than what went before, but it’s only partially helpful.
Chris’ post implies that if you aren’t paying, you can’t depend on it. But the other path to take would be for a community CT process to bootstrap, which does what we need — provide a neutral, reliable, and scalable service to close out a certificate check, with oversight and community governance we can live with, for cost recovery. Not something run by the ‘majors’ for their own benefit, but something run by the community for the general good.
Maybe we need to go back to the roots of what we want, and be prepared to pay for it?
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.