Apple will join leading browser Google Chrome in enforcing a Certificate Transparency policy for all public SSL/TLS certificates issued after October 15, 2018. Websites that have certificates that are out of compliance risk their users encountering trust errors.
Here is Apple’s Certificate Transparency Policy
Our policy requires at least two Signed Certificate Timestamps (SCT) issued from a CT log—once approved* or currently approved at the time of check—and either:
- At least two SCTs from currently-approved CT logs with one SCT presented via TLS extension or OCSP Stapling; or
- At least one embedded SCT from a currently-approved log and at least the number of SCTs from once or currently approved logs, based on validity period as detailed here.
How Does This Impact You?
This should have limited impact on organizations since Certificate Transparency logging is already in place.
For organizations that choose not to log a certificate for privacy reasons, a higher percentage of browsers will not trust that certificate. Keep in mind that this may not be an issue in certain use cases, such as server-to-server communication.
Certificate Transparency (CT) Search
CT searching gives organizations an opportunity to review SSL/TLS certificates that have been issued in their name. This practice helps domain administrators discover SSL/TLS certificates that have been issued by rogue CAs.
Check the CT Logs using our CT search tool to see what public certificates have been issued to your organization.
*** This is a Security Bloggers Network syndicated blog from Entrust Datacard Blog authored by Entrust Datacard Blog. Read the original post at: https://www.entrustdatacard.com/blog/2018/june/apple-certificate-transparency