May 1st marked a historic development for Google. That’s the day when a mandate requiring Chromium Certificate Transparency (CT) Policy compliance of all newly issued TLS certificates for the Chrome Browser came into force. Google declared that a website’s publicly trusted certificates issued by a certificate authority (CA) must appear in a CT log, a network service which maintains records of digital certificates. Otherwise, the tech giant said it would display a warning message to visitors and prevent any of the website’s sub-resources served over HTTPS from loading properly.
Google’s mandate helps advance the mission of the Certificate Transparency framework to allow for early detection of mis-issued certificates, faster mitigation of suspect certificates and better oversight of the entire TLS/SSL system. Even so, it doesn’t account for one important reality in the industry today. That is the booming public key infrastructure (PKI) market.
PKI: How It Disagrees with Google’s Policy
As defined by TechTarget, PKI consists of rules and policies that support the distribution and identification of public encryption keys necessary for users to exchange sensitive data with other parties over the web. It acts as the foundation of machine identity management and helps validate the authenticity of a data transaction. Accordingly, organizations are increasingly turning to public key infrastructure to fuel their digital transformations, which is contributing to the global PKI market’s maturation and growth. Market Research Future found in a 2018 report that the PKI market is expected to grow at a compound annual growth rate (CAGR) of 22.7 percent between 2017 and 2023. It will be worth just shy of $2 billion by 2023, reported Reuters.
Where Google’s policy falls short is its assumption that logs will accept certificates indefinitely. This isn’t sustainable over the long term. As logs amass hundreds of millions of certificates, admins will find it difficult to perform maintenance of logs. Not only that, but any failure of a log will have a dramatic effect on the operability of countless websites.
A Solution for the New World
To address this problem, DigiCert has recommended temporal sharding. It’s a course of action whereby logs accept certificates according to their “notBefore” and “notAfter” values. This data range is stored in the certificate itself as its validity period.
Via temporal sharding, logs would consist of multiple physical logs acting together in a logical log to evaluate certificates’ validity periods. For instance, a physical log sharded in a one-year time segment would evaluate a certificate’s validity period. If its expiration date occurs after a certain date, the log would reject it, at which point in time the certificate would go to the next physical log in sequence. It would then go from log to log until its temporal settings match the specifications of one of the physical logs.
Temporal sharding could help logs keep up with the explosion of digital certificates that’s set to occur over the next five years. But it can’t help organizations protect their PKI against digital threats. To accomplish that task, organizations need to automate their PKI security for all of their keys and certificates.