Certificate Transparency (CT) sits within a wider ecosystem, Web Public Key Infrastructure. Web PKI includes everything needed to issue and verify certificates used for TLS on the web. Certificates bind a public cryptographic key to a domain name, similar to how a passport brings together a person's photo and name.
Certificates are issued by CAs. Web PKI requires user agents and domain owners to trust that CAs are tying domains to the right domain owners. A user agent is something that acts on behalf of a user, usually a browser.
A CA that has been hacked or sloppy can issue certificates for any website. The communication would still be technically encrypted, but there could be an attacker at the other end who could intercept the private data.
Historically, user agents determined if CAs were trustworthy through audits by credentialled third parties. But these tended to look at operational practices and historical performance rather than technical correctness. Such audits can’t catch everything. Before CT, there could be a significant time lag between a certificate being wrongly issued, and a CA doing something about it.
CT depends on independent, reliable logs because it is a distributed ecosystem. Built using Merkle trees, logs are publicly verifiable, append-only, and tamper-proof.
Thanks to CT, domain owners, browsers, academics, and other interested people can analyse and monitor logs. They’re able to see which CAs have issued which certificates, when, and for which domains.
To help keep the web safe, CT needs numerous robust logs, run by different organizations, in different jurisdictions.
CT may have been started by engineers at Google, but it works because independent organizations set up and run monitors and logs. For the internet, and of the internet.