Certificate Transparency

Logs are operated by many parties, including browser vendors and certificate authorities.

Each entry in a log references the hash of a previous one, forming a Merkle tree.

Certificate Transparency puts cyber security teams in control and enables them to issue domain take down orders for suspicious domains and allows them to apply cyber security controls on web proxies and email gateways for immediate protection.

[1] A number of misbehaving logs have been publishing inconsistent root stores in the past.

Google employees Ben Laurie, Adam Langley and Emilia Kasper began work on an open source framework for detecting mis-issued certificates the same year.

[21] In June 2013, RFC 6962 "Certificate Transparency" was published, based on the 2012 draft.

[27] In May 2019, certificate authority Let's Encrypt launched its own CT log called Oak.

Since February 2020, it is included in approved log lists and is usable by all publicly trusted certificate authorities.

[1] Version 2.0 includes major changes to the required structure of the log certificate, as well as support for Ed25519 as a signature algorithm of SCTs and support for including certificate inclusion proofs with the SCT.

In February 2022, Google published an update to their CT policy,[29] which removes the requirement for certificates to include a SCT from their own CT log service, matching all the requirements for certificates to those previously published by Apple.