Certificate Transparency (CT) is a proposal that, when a certificate authority issues a certificate, they should log the details in a public, append-only log.

This allows mis-issued certificates to be spotted by site owners - and hopefully revoked in short order. Browsers, when they know to expect a CT entry, can reject a certificate as fraudulent if the expected CT entry is missing.

But CT will have two other interesting effects I haven't heard mentioned in other public discussion.

The Certificate Authority Death Penalty

Currently, no matter how badly a certificate authority messes up, it's difficult for browsers and OSes to remove them from the trusted root certificate set because of the collateral damage when innocent sites become unavailable. This is particularly an issue with the larger CAs; in a 2010 report, 21.8% of valid certificates - 300,224 out of 1,377,067 - were signed by the same GoDaddy certificate so that would be pretty hard for Mozilla or Google or Microsoft to drop.

But there is a way browser vendors could kill a CA without such collateral damage - they can 'grandfather in' a list of certificates that should remain trusted even after the CA becomes untrusted. A list of every certificate issued by that CA that hasn't expired or been revoked.

You'd imagine every CA would maintain such a list in-house - but if the CA has messed up and they know the browser vendors are about to put them out of business, they have no incentive to cooperate and every incentive to claim the family dog ate their customer database.

By generating a public database of issued certificates forcing CAs to put all certificates into it, browser vendors gain leverage over certificate authorities because they can put the certificate authority out of business with much less collateral damage.

That sounds bad for Certificate Authorities, but it's actually good

So why would certificate authorities support this, if it puts a gun to their heads?

The first reason is because they actually care about security. They don't want to mis-issue certificates, and they'd rather their mistakes be detected and rectified. With over 650 organisations that can issue certificates, detecting and getting rid of the cowboys is good for the industry's reputation.

The second reason is browser vendors can do it with or without them - if CAs don't submit to CT logs, browsers can do it for them (at the cost of missing mailserver certificates and corporate intranet sites that are never accessed by modern browsers).

But the most interesting reason is, by radically increasing the cost of signing a bad certificate, it makes it much less likely anyone will force them to sign bad certificates. Game theoretician and nobel laureate Thomas C. Schelling describes the reason, in The Strategy Of Conflict:

There is probably no single principle of game theory that epitomizes so strikingly the mixed-motive game as this principle that a worsening of some or even all of the potential outcomes for a particular player and an improvement in none of them may be distinctly - even dramatically - advantageous for the player so disadvantaged. [...] It was reported unofficially during the Korean War that when the Treasury Department blocked Communist Chinese financial assets, it also knowingly blocked some non-Communist assets as a means of immunizing the owners against extortionate threats against their relatives still in China.

In simple terms: If you make it impossible for you to do something, nobody will try to force you to do that thing.

If a CA can issue a certificate for windowsupdate.microsoft.com and the only cost is some bad publicity and a slap on the wrist, an extortionist can threaten something medium-sized (like revaling the CEO's affair) expecting the company to cave. But if the cost is that the CA goes out of business within a week, the company is in a much better position: nobody would expect them to cave to such a threat, so nobody will bother to make such a threat.

Payoff matrix without CT:

Threat Issues bad cert Doesn't
Request -10 0
Extortion -10 -1000
Bribery 990 0

Payoff matrix with CT:

Threat Issues bad cert Doesn't
No extortion -100000 0
Extortion -100000 -1000
Bribery -99000 0

Without CT, bribery and extortion change the optimal strategy for the CA - whereas with CT the optimal strategy is always the same, rendering bribery and extortion pointless.

Granted, bribery and extortion would work if the threat or bribe was greater than putting the CA out of business - but even then, it would only get the attacker one set of certificates which would be detected and revoked in short order. Certificate Transparency is good for CAs because it makes threat-proof.


23 March 2016


website@mjt.me.uk · Home · Archive · Tags