In my previous blog, I discussed the need to balance the benefits of logging certificates publicly with the need of many customers to prevent logging of internal domain names they consider private.
The Internet Engineering Task Force (IETF) also recognized the importance of this, and has made solid progress in support for name redaction in the latest version of the Certificate Transparency (CT) specification. Based on this progress, Symantec will soon be adding a “redaction” option for customers to exclude publishing of sub-domain information when requesting certificates. With this feature, customers will be able to get the full benefits of monitoring certificates issued by Symantec and also get the privacy protection they need.
Here’s an example:
Option | URL Examples |
All Domain Information Logged In the default option your entire fully qualified domain name(s) will be logged to certificate transparency log servers as they appear in the certificate. | mail.example.com secret.example.com secret.www.example.com |
Top Level Domain Name + 1 (eTLD+1) Logged In this option your base domain name will be logged to a certificate transparency log server hosted by Symantec, but all labels to the left of the base domain may be redacted. | ?.example.com ?.?.example.com |
With the introduction of the redaction feature, we will remove the current “opt-out” option from our tools. Why are we removing opt-out? As I shared in my last post, opt-out, while a solution for privacy concerns, is not optimal because it creates a gap where all certificates will not be logged. By supporting redacted certificates instead, we can still provide customers the benefits of monitoring their domains while addressing their potential need for privacy. In short, Symantec will log all certificates and all certificate information by default. Customers who choose to redact should do so only when their security and privacy policies require it, and should be aware that monitoring may be simpler with a non-redacted certificate.
Google – whose browser is currently the only major one to support Certificate Transparency - has not yet announced when or whether Chrome will accommodate redaction. As a result, it is possible that Chrome will show an “untrusted” warning if it encounters certificates where customers have chosen to log their certificates with redacted sub-domain information. Therefore, customers who have internal, browser-based applications, where privacy of certificate domain information is important, may want to consider using an alternate browser or one of our Private CA options.
We fully support certificate transparency, and with the addition of redaction, we will be logging 100% of our publicly trusted certificates. But we also believe that it is important to provide customers with options, particularly when it comes to privacy decisions for their own information. We encourage customers, partners, and the broader Internet ecosystem to share your thoughts on striking this balance in the Certificate Transparency policy discussion group.