It looks like some of this data is incorrect due to a Firefox bug, which I've filed as https://bugzilla.mozilla.org/show_bug.cgi?id=1972339

@cybeej Internet Security Research Group is the name of the organization that runs Let's Encrypt (ie, in #3 position)

Firefox's telemetry has data on how many times a CA is used to successfully validate certificates. This is a pretty good measure for how "big" a CA is. The data is hard to view in Mozilla's site, so I've made a script to combine a few data sources and graph it! https://github.com/mcpherrinm/cert-count

Inspired by the classic xeyes program, I made a thing:

ssh teyes.fly.dev

Or go install github.com/mcpherrinm/teyes@latest && teyes

Give your mouse a wiggle over the terminal!

I'll be speaking at the Ontario Cryptography Day!

https://ontario-crypto-day.github.io/

Where: University of Waterloo Davis Centre (DC) 1301 and 1302
When: Friday, June 6, 2025, from 10am to approx. 4:30pm

I hope anyone in the area interested in cryptography is able to attend. It's a free event, but registration is required.

@rsalz interesting that the criteria is in ALL root stores, which might be an issue in some cases as root stores evolved.

Eg, a new CA that's trusted directly in Chrome, with a cross-sign from an old CA. Perhaps Chrome only trusts the new CA, and some other program like Microsoft (who aren't taking new roots right now) only supports the old CA providing the cross-sign.

A certificate chain with the cross-sign will work with both programs, but Akamai's policy here seems like it may exclude said CA.

@MichaelPorter GPS receivers in datacenters provide an accurate source of time, which is how basically everyone sets their clock now. It's how your phone and computer know the time, though maybe one or two steps away from GPS.

Of all the things I didn’t expect to ever happen, iOS Safari actually got a certificate viewer in 18.4! https://webkit.org/blog/16574/webkit-features-in-safari-18-4/#connection-security

We've issued our first short-lived (6 day) certificate! https://letsencrypt.org/2025/02/20/first-short-lived-cert-issued/

@zash Yes. If you're using Let's Encrypt for client certs, start planning a migration now.

@ryanc Splitting S/MIME from TLS roots has already been in progress. I'm less familiar with the details as we don't operate an S/MIME root, but I believe Mozilla and Chrome already have some requirements around that

Chrome has published version 1.6 of their root store policy.

Notably, this contains a timeline for deprecating use of the TLS Client Auth extended-key-usage inside the PKIs included in their program.
If you currently use TLS Client Auth from a publicly trusted CA, you may need to take action.

> ... certificates issued on or after June 15, 2026 MUST include the extendedKeyUsage extension and only assert an extendedKeyUsage purpose of id-kp-serverAuth.

https://www.chromium.org/Home/chromium-security/root-ca-policy/#32-promote-use-of-dedicated-tls-server-authentication-pki-hierarchies

@ondra @argv_minus_one
As an extra heads-up on this note, Android's also going to start enforcement soon, opt-in per-app, just announced in https://groups.google.com/g/certificate-transparency/c/ofE05kCAtIk/m/XNiNOi80AAAJ

@ondra @argv_minus_one Thanks. I agree Firefox should be pre-announcing these big changes sooner.

As a CA, I am very much interested in understanding issues that people using our certificates may run into, and I'm not sure I fully understand the breakage here, which is why I'm asking.

We monitor what SCTs we insert in certificates against the different browser's policies to make sure we have high compatibility with all CT-enforcing clients, and I got Firefox to make one change prerelease to avoid one edge-case at least. So if there's additional incompatibility I very much want to know!

@ondra @argv_minus_one

Can you say more about what the carveout Chromium has here that Firefox is missing?

@jornane @mynacol

Certificate Transparency requires a pair of "Signed Certificate Timestamps" from logs be provided to the browser. They're usually embedded in the certificate by the issuing CA, though there's technically two additional options (in a stapled OCSP response, or provided by the webserver in a TLS extension).

There's no online querying, though some browsers (like Chrome, for users who have opt-in to enhanced safe browsing) do some random sampled reporting of observed SCTs to detect misbehaving logs.

Firefox was the biggest browser that didn't require CT, I think.

Congratulations to the Firefox team for shipping CT enforcement!

> Starting in Firefox 135, Certificate Transparency is now enforced on all desktop platforms.

https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/OagRKpVirsA/m/Q4c89XG-EAAJ

I'm speaking at #SREcon in Santa Clara this March! Come learn how Let's Encrypt issues millions of certificates with just a handful of staff and servers! https://www.usenix.org/conference/srecon25americas/presentation/mcpherrin

@jarek oh huh thanks, I do actually think I can get some stuff together by Sunday

@mayintoronto https://www.qwantz.com/index.php?comic=399