Improving Web PKI Security: How SCTNotAfter Prevents Widespread Certificate Errors
2025-03-06
Historically, distrust events for Certificate Authorities (CAs) caused significant disruptions due to widespread certificate errors. However, with Certificate Transparency (CT) logs and shorter certificate lifetimes, the situation has improved. The new SCTNotAfter mechanism provides cryptographic assurance about the certificate's 'NotBefore' date, allowing distrust to be applied to certificates issued after a future date, giving users time to transition. This approach, successfully used by Chrome in handling GLOBALTRUST and Entrust, minimizes user disruption while enhancing Web PKI security and user experience.
Tech
Certificate Trust