Working together to detect maliciously or mistakenly issued certificates.
To the participants of the Certificate Transparency (CT) ecosystem, who give their time, expertise, and resources to help keep the web secure.
Certificate Transparency (CT) sits within a wider ecosystem, Web Public Key Infrastructure. Web PKI includes everything needed to issue and verify certificates used for TLS on the web. Certificates bind a public cryptographic key to a domain name, similar to how a passport brings together a person's photo and name.
Certificates are issued by CAs. Web PKI requires user agents and domain owners to trust that CAs are tying domains to the right domain owners. A user agent is something that acts on behalf of a user, usually a browser.
A CA that has been hacked or sloppy can issue certificates for any website. The communication would still be technically encrypted, but there could be an attacker at the other end who could intercept the private data.
Historically, user agents determined if CAs were trustworthy through audits by credentialled third parties. But these tended to look at operational practices and historical performance rather than technical correctness. Such audits can’t catch everything. Before CT, there could be a significant time lag between a certificate being wrongly issued, and a CA doing something about it.
