Certificate Transparency
RFC 6962, “Certificate Transparency”, is an Experimental document published in June 2013 by B. Laurie, A. Langley, E. Kasper. It has been obsoleted by RFC 9162 — refer to the newer document for the authoritative version. The canonical text is published by the RFC Editor.
Abstract
This document describes an experimental protocol for publicly logging the existence of Transport Layer Security (TLS) certificates as they are issued or observed, in a manner that allows anyone to audit certificate authority (CA) activity and notice the issuance of suspect certificates as well as to audit the certificate logs themselves. The intent is that eventually clients would refuse to honor certificates that do not appear in a log, effectively forcing CAs to add all issued certificates to the logs.
Logs are network services that implement the protocol operations for submissions and queries that are defined in this document.
What “Experimental” means
Describes a specification that is part of a research or development effort, published so the community can gain experience with it.
The canonical text of RFC 6962 is hosted at rfc-editor.org. Available in TXT,HTML.
- RFC 6961 The Transport Layer Security Multiple Certificate Status Request Extension
- RFC 6963 A Uniform Resource Name Namespace for Examples
- RFC 6960 X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP
- RFC 6964 Operational Guidance for IPv6 Deployment in IPv4 Sites Using the Intra-Site Automatic Tunnel Addressing Protocol
- RFC 6959 Source Address Validation Improvement Threat Scope
- RFC 6965 MPLS Transport Profile Applicability: Use Cases and Design
- RFC 6958 RTP Control Protocol Extended Report Block for Burst/Gap Loss Metric Reporting
- RFC 6957 Duplicate Address Detection Proxy