Certificate Transparency Enforcement and Microsoft CAs – Oct 2017 Deadline

To address some weaknesses in the public PKI trust process, Certificate Transparency (CT) was created to make it easier to detect and track fraudulent certificate issuance and use. The intent is that a small collection of log servers would contain information about valid certificates and browsers can check the log to see if a given certificate for a website is valid and hasn’t be misappropriated. To use CT, both Certification Authorities and Browsers need to be modified. Up to this point, CT has largely been a proof of concept and has had optional participation. As with anything, once one or more of the major browser providers begins enforcing activities (SHA2 anyone?), it will encourage other browsers to do like wise. From an administrative standpoint, if one of the major browsers will begin enforcing something, you might as well assume all of your web traffic will be impacted.

In this case, there is a huge potential impact on Microsoft ADCS Certification Authorities. It only applies to organizations that have contracted with a commercial provider to place part of their PKI under the commercial provider – this is often called Qualified Subordination. The benefit of this program is that anything the customer’s CA issues is fully trusted worldwide as if it came from that provider’s own CAs. There are extensive security and audit control requirements, but it can lower the cost of certificate acquisitions, provides globally trusted certificates and enables customers to use software and systems they are experienced with.

At the 39th meeting of the CA/Browser Forum (www.cabforum.org) the Chrome team announced plans which highlighted that publicly trusted SSL/TLS certificates issued after October 2017 would need to comply with Chrome’s Certificate Transparency policy in order to be trusted by Chrome.  On the 25th October Ryan Sleevi released additional details in this mail thread (https://groups.google.com/a/chromium.org/forum/#!topic/ct-policy/78N3SMcqUGw).  Please note that Mozilla is also considering to implement Certificate Transparency within the Firefox browser and although no dates have been given.

The impact is that as of this moment, Microsoft does not have a solution for ADCS Certification Authorities needing to comply with CT. This could potentially be implemented through a software change, exit module or 3rd party solution.

I have started a dialog with the ADCS Product Manager at Microsoft to provide details of customer impacts and possible options for resolution.

I have also started collecting details about affected organizations to provide a scale and scope of impact to Microsoft. Microsoft’s ability to address this issue will largely be driven by feedback and comments from the community. If you are using ADCS as a Qualified Subordinate, I would encourage you to reach out to me so I can add your details to the list of customers impacted by this enforcement.

Without a process change with ADCS, environments will be forced to either moved to a managed PKI solution by their commercial providers, move to a 3rd party solution such as EJBCA or eliminate their subordination program. Fortunately we have 11 months to address the issue and seek a workable solution – so please spread the word early.