Submission of large numbers of spurious certificates, it is required In order to avoid logs being rendered useless by the Holders can also contribute their own certificate chains, as can Newly issued certificates to one or more logs however certificate It is expected that public CAs will contribute all their
Issued by public certification authorities (CAs).Įach log contains certificate chains, which can be submitted byĪnyone. Note that this is a general mechanism but in thisĭocument, we only describe its use for public TLS server certificates (particularly those named in certificates) can detect such Prevent misissue, but they ensure that interested parties Anyone may verify the correctness of each log and monitor The logs do not need to be trusted because they are publiclyĪuditable. IntroductionĬertificate transparency aims to mitigate the problem of misissuedĬertificates by providing append-only logs of issued certificates. Avoiding Overly Redacting Domain Name Labels. Internet-Draft Certificate Transparency May 2016 12.6.1. Transparency Information X.509v3 Extension. Presenting SCTs, inclusion proofs and STHs. Retrieve Merkle Inclusion Proof, Signed Tree Head andĬonsistency Proof by Leaf Hash. Retrieve Merkle Inclusion Proof from Log by Leaf Hash. Retrieve Merkle Consistency Proof between Two Signed Tree Internet-Draft Certificate Transparency May 2016 6.1. Using a Name-Constrained Intermediate CA. The Trust Legal Provisions and are provided without warranty asġ.
Include Simplified BSD License text as described in Section 4.e of
Code Components extracted from this document must Please review these documentsĬarefully, as they describe your rights and restrictions with respect This document is subject to BCP 78 and the IETF Trust's Legal Internet-Draft Certificate Transparency May 2016Ĭopyright (c) 2016 IETF Trust and the persons identified as the This Internet-Draft will expire on November 27, 2016. Material or to cite them other than as "work in progress." It is inappropriate to use Internet-Drafts as reference Internet-Drafts are draft documents valid for a maximum of six monthsĪnd may be updated, replaced, or obsoleted by other documents at any Note that other groups may also distribute Internet-Drafts are working documents of the Internet Engineering
This Internet-Draft is submitted in full conformance with the
Submissions and queries that are defined in this document. Logs are network services that implement the protocol operations for The intent is that eventually clients would refuse to honorĬertificates that do not appear in a log, effectively forcing CAs to Observed, in a manner that allows anyone to audit certificationĪuthority (CA) activity and notice the issuance of suspectĬertificates as well as to audit the certificate logs themselves. Of Transport Layer Security (TLS) certificates as they are issued or This document describes a protocol for publicly logging the existence KasperĬertificate Transparency draft-ietf-trans-rfc6962-bis-15 Public Notary Transparency Working Group B.