Topic S - Certificate transparency

[phin10]

Description
Requirement Reg_13 in ARF 1.4.0 requires support for Certificate Transparency for Access certificates. We received comments that this requirement is not appropriate. This needs to be discussed.

Ppublication discussion paper
19 September 2025

Link to discussion paper
Link

Discussion close
Three weeks later.

[OBIvision]

What is absolutely critical is to have Qualified Unlinkable certificates both both for access control and for unlinkable issuing of credentials and data portability.

The main problem with ARF as-is is the surveillance-by-design PID document that force all issuance to be bed based on linked identification.

[jschanck]

CT_01 | A CA issuing access certificates SHALL register these in a CT log according to RFC 9162.

The requirement to log access certificates in a CT log is good, but the ARF should not require the use of RFC 9162 ("version 2.0") logs.

I'm not aware of any current or planned deployments of RFC 9162 logs. The WebPKI is currently transitioning from RFC 6962 ("version 1") logs to Static CT logs [1,2,3]. The requirements laid out in the ARF should permit the development of standards based on Static CT and other emerging technologies such as Merkle Tree Certificates.

[stefanmore]

That requirement is from the Commission Implementing Regulation (EU) 2025/848:

ANNEX IV

3. The certificate policy and certificate practice statement applicable to the provision of wallet-relying party access certificates shall be syntactically and semantically harmonised across the Union and shall, as applicable, comply with at least the normalised certificate policy (‘NCP’) requirements as specified in standard ETSI EN 319411-1 version 1.4.1 (2023-10), and shall include:

(j) a description, where relevant, on how a provider of wallet-relying party access certificates logs all wallet-relying party access certificates they have issued, in compliance with internet engineering task force (‘IETF’) request for comments (‘RFC’) 9162 Certificate Transparency version 2.0;

(Still worth discussing, though.)

[mhutchinson]

I implement transparency logs, and I agree with @jschanck that requiring RFC 9162 logs will be tricky. To my knowledge there are no production-ready implementations of logs that implement this spec. It would be far easier to adopt Static CT, or as a fallback the older RFC 6962; both of these specs have a choice of production-tested implementations available in open source.

[jschanck]

I'd like to see a requirement for the publication of a list of CT logs that providers of wallet-relying party access certificates may use.

A CT log is a trust anchor for signed certificate timestamps, signed tree heads, and related documents. The allowed CT log trust anchors will need to be distributed to many parties, including individual wallet instances, so they will need to be published in something like a trusted list.

There should also be some discussion here on governance of / policy for this CT log list (how logs come to be included, when they can be removed, etc). The existing policies for WebPKI CT log lists from browser vendors can serve as a guide. It's not clear to me who should be responsible for enforcing the CT log list policy in the EUDI case.

[jschanck]

existing CT log providers should agree to accept certificates issued by CAs trusted within the EUDI ecosystem.

Existing WebPKI CT logs should not be used for wallet-relying party access certificates. (If the suggestion was that log operators should create new logs for wallet-relying party access certificates, then most of what I've written below can be ignored).

I imagine that most CT log monitors are interested in exactly one type of certificate. That is, I think there are monitors who are interested in WebPKI certificates, and I think are monitors who are interested in wallet-relying party access certificates, and I think there is little overlap between these two groups.

The cost of operating an RFC 6962, 9162, or Static CT log scales with the size of the log and with the number of parties that wish to monitor the log. So CT log operators will want to run separate logs for different types of certificates: this reduces the amount of data that they need to serve to single-certificate-type monitors and decreases their overall costs.

On a more technical note, different "types" of certificates are distinguished by the "Extended Key Usage" extension. Existing WebPKI CT logs may reject a certificate that does not have the id-kp-serverAuth Extended Key Usage identifier. Reasonable technical standards will forbid wallet-relying party access certificates from having the id-kp-serverAuth identifier, and they will require these certificates to have some other (yet to be defined) identifier.

[burdges]

Existing WebPKI CT logs should not be used for wallet-relying party access certificates

Oh why not? It's the wallet-relying party who asked for validation of the user's ID, right? A wallet-relying party access certificate would dictate what information can be requested by the wallet-relying party, right?

If used online, the wallet-relying party must be uniquely identified to the user agent, maybe by domain name, but even better by the actual key in their TLS certificate.

CT log operators will want to run separate logs for different types of certificates

It's clear there are quite different types of wallet-relying party access certificates, so yes you might want to audit the list who can ask for PII vs the list who can ask for over 18. Yet, we should expect far fewer wallet-relying party access certificates than TLS certificates, because each wallet-relying party access certificates requires a TLS certificate.

[stefanmore]

A wallet-relying party access certificate would dictate what information can be requested by the wallet-relying party, right?

Unfortunately, no, that's the wallet relying-part registration certificate (see CIR 2025/848). But that's independent of the CT log discussion.

If used online, the wallet-relying party must be uniquely identified to the user agent,

Correct

maybe by domain name, but even better by the actual key in their TLS certificate.

Not sure. But as you say, this is only the case for online (as in "web-based") relying parties, and not for "proximity" relying parties (where you present your wallet on a phone via, e.g., Bluetooth, to a RP in physical proximity). This is far away from any Web and hence WebPKI. I guess that's part of the objection.

you might want to audit the list who can ask for PII vs the list who can ask for over 18

For this, you would audit/monitor the RP register (see, e.g., CIR 2025/848).

because each wallet-relying party access certificates requires a TLS certificate

How so?

[burdges]

I'll rephrase, if you use the EU ID wallet online, then you need to identify the other side, not merely the RP, but the interface surounding whatever the RP does. If not, then you'll have cross-site identiy theft attacks, say by forwarding requests from legitimate RPs.

An RP in physical proximity seems quite different of course.

[jschanck]

we should expect far fewer wallet-relying party access certificates than TLS certificates

Right, and that's why there should be (smaller, cheaper to operate, and easier to monitor) CT logs that are used only for wallet-relying party access certificates.

if you use the EU ID wallet online, then you need to identify the other side, not merely the RP, but the interface surounding whatever the RP does

Absolutely. There are details on how that works when OpenID4VP is used through the Digital Credentials API here.

[mhutchinson]

I wholeheartedly agree with @jschanck in the original comment that "Existing WebPKI CT logs should not be used for wallet-relying party access certificates.". These CT logs are intended to be used for Web PKI certificates only. Other x509 certs are not the intended use case, and logs may reject them. For example, this CT log implementations allows the log to be configured to accept only certs with specific Extended Key Usages (EKUs): https://github.com/google/certificate-transparency-go/blob/master/trillian/ctfe/configpb/config.proto#L87.

In the current version of the document, the next paragraph is "Alternatively, the European Commission could establish its own CT log infrastructure", and I strongly encourage this direction in the design.

[jschanck]

CT_03 | The issuing CA SHALL include at least one Signed Certificate Timestamp (SCT) in the certificate
CT_04 | The Wallet Unit SHALL check that the access certificate includes at least one Signed Certificate Timestamp (SCT)
CT_05 | A Wallet Unit SHALL not communicate with a RP which access certificate does not include a SCT

An SCT is a promise that a log will contain an entry for a certificate in the (near) future. It is not, in and of itself, evidence that a log entry has been created.

The use of SCTs in the WebPKI is a compromise position that was reached to balance the need for CT against the expectation of immediate issuance. The ARF should leave room for technical standards with slow issuance (e.g. several minutes delay between when a certificate is requested and when it is issued).

Technical standards with slow issuance give CT logs enough time to produce cryptographic evidence of the creation of a log entry, and they give CAs enough time to embed this evidence in certificates. The ARF should leave room for technical standards that require access certificates to include strong evidence of correct logging, e.g. an inclusion proof to a signed tree head, or (better) an inclusion proof to a signed tree head with one or more witness signatures.

[zoracon]

There are a small variety of transparency log implementations that exist and this format could be utilized and ran possibly by the existing EU PKI that's set up with Qualified Trusted Service Providers.

I don't think the transparency requirement is inappropriate but the strict technical mandates around RFC 9162 and SCT are. I agree with the above around SCTs needing strong evidence and flexibility with with log implementation.

How the certificate verifier performs checks against the CT log? Directly or via a fraud detection system?

Definitely don't think it should be done directly due to privacy risk, however paired with the SCT "slowed" checks, maybe this does not need to be a real time check with each access request? I know I am getting into the realm of caching but since this isn't the same situation as a browser needing to operate on a higher scale of serving best case, safe access to websites at all times, I am wondering what else can be made more flexible here.

[mhutchinson]

Thanks for bringing up this observation that directly querying the log for a given cert leaks information. Removing SCTs from the design would allow for a stronger form of log inclusion to be circulated instead: offline inclusion proofs. This idea has been used in a number of transparency solutions, and is being formalized as a spec here: C2SP/C2SP#181. As observed in the spec, offline inclusion proofs can simply be considered a detached digital signature.

The TL; DR of it is that providing {Log Checkpoint (ideally witnessed), Leaf Index, Inclusion Proof} along with the certificate logged in the leaf allows anyone to verify inclusion in the log while offline. This makes it more useful, with stronger guarantees, and more privacy preserving.

[zoracon]

Moving towards a stronger yet flexible way of log inclusion that veers away from real-time, direct queries of the log is definitely a better path forward. The lessons from running these logs should be carried over and not just the structure.

[stefanmore]

@phin10, since there is currently an open consultation regarding 2025/848, the CIR where CT for RP Access Certs is mandated, do you know of any discussions from the ARF regarding this?