itestro - Fotolia

Comodo to open its Certificate Transparency logs to all CAs

Certificate authority Comodo has submitted two new Certificate Transparency logs for approval by Google, which aim to accept any publicly trusted certificates from any CA.

Certificate authority Comodo has registered two new Certificate Transparency logs that impose no fees or reciprocity requirements of other CAs wishing to register certificates.

Comodo submitted its proposed logs to Google's Chromium project bug tracker, in accordance with Certificate Transparency log procedure, and made clear its intent to operate them openly and freely.

"Open acceptance policy: This log accepts all roots that are enabled for the server authentication trust purpose in one or more of the Microsoft, Mozilla and Apple root programs. We will update this log's list of accepted roots from time to time in accordance with this policy," read the first bullet point of the Comodo "Sabre" and "Mammoth" log applications; Comodo's second bullet point stated there would be no fees or contracts required for a certificate authority (CA) to submit.

"There is no cost to CAs for having a root accepted by this log. There is also no cost for submitting certificates/precertificates to this log. There are no contracts to sign at present, but we reserve the right to require contracts in the future," read the applications.

"Google operates several CT logs which have an open-acceptance policy for publicly trusted CAs," Ryan Sleevi, software engineer and tech lead for Chrome's networking security team at Google, told SearchSecurity, but  Comodo's move to open their Certificate Transparency logs was "absolutely" a positive development.

"We believe that logs open to all publicly trusted CAs are the best method of demonstrating that they are operated in the public interest and improve online security," Sleevi wrote in an email. "Beyond operating an open CT log, Comodo has led the development and operation of the open source tool, which has become the industry standard method for quickly and easily examining Certificate Transparency logs and the web [public key infrastructure]. In addition, Comodo has been co-editing the Certificate Transparency specification within the IETF. We applaud Comodo's continued commitment to the development and success of Certificate Transparency and improving the web PKI."

Shortly after Comodo submitted its requests to open the new Certificate Transparency logs, Rob Stradling, senior research and development scientist at Comodo CA Limited, tweeted:

Andrew Ayer, founder of SSLMate, an SSL certificate management service based in Orinda, Calif., tweeted support for Comodo's move:

Openness in Certificate Transparency logs

While other Certificate Transparency logs are open to submissions from other CAs, some may require CAs to sign contracts or make payments to do so.

"Google's and Venafi's logs are open to all publicly-trusted CAs, at no cost. PuChuangSiDa have said that they intend to open their log to all CAs, although they haven't explicitly said 'at no cost,'" Stradling told SearchSecurity.

"Symantec has made some log servers available at no cost to all CAs who request access, and who sign a contract that guides right usage of the log server. The contract is intended only to minimize the risk of misuse or impact on availability of the log servers so that those remain compliant," according to a statement provided by Symantec. "There is no cost to use these CT log servers."

Jeremy Rowley, executive VP of emerging markets at certificate authority DigiCert, told SearchSecurity that external CAs can submit to its CT logs as long as they waive liability if the log fails and pay fees that depend "on the actual cost of running the log, usually about $5,000 per year for each CA."

"As we are running the log at cost for the benefit of our competitors, we felt a waiver of liability was necessary to prevent potentially bad actions by participants. We also require participating CAs to share in the cost of running the log or set up their own log and include DigiCert's roots. We run the log this way to 1) encourage more logs in the ecosystem and 2) build a sense of community around the log. The log succeeds with community buy-in and ownership."

Google monitors proposed Certificate Transparency logs for 90 days after being submitted as a bug to the Chromium bug tracker.

During that time, Google verifies candidate logs conform to the Certificate Transparency specification in RFC 6962, meet uptime requirements and that the log is "append-only and consistent from every point of view," according to Chromium's Certificate Transparency log policy.

Even after acceptance, Chromium continues to monitor Certificate Transparency logs for compliance with conditions that include maintenance of 99% uptime performance, ongoing conformance to RFC 6962, no imposition of conditions on retrieving or sharing log data and more.

Next Steps

Learn about how HTTP public key pinning affects Firefox browser users

Find out more about how Google's Certificate Transparency program is helping prevent certificate abuse

Read about security issues related to the SSL ecosystem

Dig Deeper on Identity and access management