Internet security and privacy stand on the trustworthiness of public certificates signed by Certificate Authorities (CAs). However, software products do not trust the same CAs and therefore maintain different root stores, each typically containing hundreds of trusted roots capable of issuing "trusted" certificates for any domain. Incidents with misissued certificates motivated Google to implement and enforce Certificate Transparency (CT). CT logs archive certificates in a public, auditable and append-only manner. The adoption of CT changed the trust landscape, with logs too maintaining their own root lists and only logging certificates that chain back to one of their roots. In this paper, we present a first characterization of this emerging CT root store landscape, as well as the tool that we developed for data collection, visualization, and analysis of the root stores. As part of our characterization, we compare the logs' root stores and quantify their changes with respect to both each other and the root stores of major software vendors, look at evolving vendor CT policies, and show that root store mismanagement may be linked to log misbehavior. Finally, we present and discuss the results of a survey that we have sent to the log operators participating in Apple's and Google's CT log programs.

中文翻译：

---

表征证书透明度日志的根景观

Internet 安全和隐私取决于由证书颁发机构 (CA) 签署的公共证书的可信度。但是，软件产品不信任相同的 CA，因此维护不同的根存储，每个存储通常包含数百个能够为任何域颁发“可信”证书的受信任根。错误颁发证书的事件促使 Google 实施和强制执行证书透明度 (CT)。CT 以公开的、可审计的和仅附加的方式记录存档证书。CT 的采用改变了信任格局，日志也维护自己的根列表，并且只记录链接到其根之一的证书。在本文中，我们首次介绍了这种新兴的 CT 根存储景观，以及我们为数据收集、可视化、和根存储分析。作为我们表征的一部分，我们比较了日志的根存储并量化了它们相对于彼此和主要软件供应商的根存储的变化，查看了不断发展的供应商 CT 策略，并表明根存储管理不善可能与日志有关。行为不当。最后，我们展示并讨论了我们发送给参与 Apple 和 Google CT 日志计划的日志运营商的调查结果。