A decade of certificate transparency and what may come next (eh23)

Certificate Transparency (RFC 6962) is a protocol that aims to provide additional security to the WebPKI ecosystem, which is used as the root of trust in TLS connections of the browsers. The idea is that issued certificates must be logged in auditable certificate transparency logs, in order to be considered valid by the browser. This gives transparency into the operation of Certificate Authorities (CAs). This talk revisits the evolution of the Certificate Transparency (CT) protocol, beginning with a brief recap of the problem that motivated its design and the rollout of the protocol over the last decade. Then, I will examine the state of the ecosystem as it is today, including browser enforcement policies and current log operators, as well as recent developments such as the static CT API rollout. I'll highlight some of the remaining issues in the security of the protocol, such as issues with log list management and the lack of progress on gossip. Finally, I'll introduce (and depending on the state of progress also demonstrate) luCT, a project I am working on, which attempts to tackle some of these issues in the CT ecosystem before closing with an outlook into the future of the ecosystem and a call to action. Over the last decade, certificate transparency (CT) has become an integral part of the web's security infrastructure. However, the story of CT is far from finished. In this talk, I want to unpack where CT stands today, what has been achieved during the last 10 years, which issues the ecosystem is still struggling with today and what we may be able do about it. This work is licensed under CC BY-NC 4.0. To view a copy of this license, visit https://creativecommons.org/licenses/by-nc/4.0/ about this event: https://pretalx.eh23.easterhegg.eu/eh23/talk/8Y9ATA/