New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 483625 link

Starred by 6 users

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Sep 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Feature

Blocking:
issue 616303



Sign in to add a comment

Certificate Transparency - Symantec Log Server Inclusion

Reported by symantec...@gmail.com, May 1 2015

Issue description

UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/7.0.2 Safari/537.74.9

Steps to reproduce the problem:
Certificate Transparency - Symantec Log Server Inclusion
Log Server URL: https://ct.ws.symantec.com/ct/v1
MMD: 24 hours
HTTPS supported: yes 
Operator: Symantec
Contact:
- email:  DL-ENG-Symantec-CT-Log@symantec.com
- Phone: +1 (650) 527-4466
- contact persons: Symantec Authentication Services Production Operations

Log Server Public Key: Attached file: symantec_ecc_public_key.pem
Accepted Roots: Attached file: symantec_production_roots.pem

What is the expected behavior?

What went wrong?
Symantec CT Log Server is now available for inclusion in Chrome.

Did this work before? N/A 

Chrome version: <Copy from: 'about:version'>  Channel: n/a
OS Version: OS X 10.9.2
Flash Version: Shockwave Flash 17.0 r0
 
symantec_production_roots.pem
23.9 KB Download
symantec_ecc_public_key.pem
496 bytes Download
Cc: benl@chromium.org
Labels: -OS-Mac OS-All Cr-Internals-Network-SSL Cr-Internals-Network-CertTrans
Owner: eranm@chromium.org
Status: Assigned

Comment 3 by eranm@chromium.org, May 6 2015

Could you please re-upload your public key file? The PEM seems to contain extra stuff.
I believe I was able to figure out what the key is, confirming it would prevent problems in the future, though.
Public key is pasted below to avoid file encoding or special characters:

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEluqsHEYMG1XcDfy1lCdGV0JwOmkY
4r87xNuroPS2bMBTP01CEDPwWJePa75y9CrsHEKqAy8afig1dpkIPSEUhg==
-----END PUBLIC KEY-----

Comment 5 by eranm@chromium.org, May 6 2015

Log monitored as of today.
The list of roots for this log don't appear to include any Google test roots, and my monitor isn't picking up any test certificates periodically being added to this log.  Is my monitor acting up, or do others note an apparent lack of monitoring for this log?

Comment 7 by alcutter@google.com, Jun 21 2015

#6 you are correct - since this log doesn't have the monitoring root added the monitor has as yet been unable to add any probe certificates. It has been monitoring other aspects of the log, though.

Symantec guys, not sure why you weren't asked to do so already, but would you please add the monitoring root to your set of trusted roots?

Many thanks.

-----BEGIN CERTIFICATE-----
MIIFzTCCA7WgAwIBAgIJAJ7TzLHRLKJyMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNV
BAYTAkdCMQ8wDQYDVQQIDAZMb25kb24xFzAVBgNVBAoMDkdvb2dsZSBVSyBMdGQu
MSEwHwYDVQQLDBhDZXJ0aWZpY2F0ZSBUcmFuc3BhcmVuY3kxITAfBgNVBAMMGE1l
cmdlIERlbGF5IE1vbml0b3IgUm9vdDAeFw0xNDA3MTcxMjA1NDNaFw00MTEyMDIx
MjA1NDNaMH0xCzAJBgNVBAYTAkdCMQ8wDQYDVQQIDAZMb25kb24xFzAVBgNVBAoM
Dkdvb2dsZSBVSyBMdGQuMSEwHwYDVQQLDBhDZXJ0aWZpY2F0ZSBUcmFuc3BhcmVu
Y3kxITAfBgNVBAMMGE1lcmdlIERlbGF5IE1vbml0b3IgUm9vdDCCAiIwDQYJKoZI
hvcNAQEBBQADggIPADCCAgoCggIBAKoWHPIgXtgaxWVIPNpCaj2y5Yj9t1ixe5Pq
jWhJXVNKAbpPbNHA/AoSivecBm3FTD9DfgW6J17mHb+cvbKSgYNzgTk5e2GJrnOP
7yubYJpt2OCw0OILJD25NsApzcIiCvLA4aXkqkGgBq9FiVfisReNJxVu8MtxfhbV
QCXZf0PpkW+yQPuF99V5Ri+grHbHYlaEN1C/HM3+t2yMR4hkd2RNXsMjViit9qCc
hIi/pQNt5xeQgVGmtYXyc92ftTMrmvduj7+pHq9DEYFt3ifFxE8v0GzCIE1xR/d7
prFqKl/KRwAjYUcpU4vuazywcmRxODKuwWFVDrUBkGgCIVIjrMJWStH5i7WTSSTr
VtOD/HWYvkXInZlSgcDvsNIG0pptJaEKSP4jUzI3nFymnoNZn6pnfdIII/XISpYS
Veyl1IcdVMod8HdKoRew9CzW6f2n6KSKU5I8X5QEM1NUTmRLWmVi5c75/CvS/PzO
MyMzXPf+fE2Dwbf4OcR5AZLTupqp8yCTqo7ny+cIBZ1TjcZjzKG4JTMaqDZ1Sg0T
3mO/ZbbiBE3N8EHxoMWpw8OP50z1dtRRwj6qUZ2zLvngOb2EihlMO15BpVZC3Cg9
29c9Hdl65pUd4YrYnQBQB/rn6IvHo8zot8zElgOg22fHbViijUt3qnRggB40N30M
XkYGwuJbAgMBAAGjUDBOMB0GA1UdDgQWBBTzX3t1SeN4QTlqILZ8a0xcyT1YQTAf
BgNVHSMEGDAWgBTzX3t1SeN4QTlqILZ8a0xcyT1YQTAMBgNVHRMEBTADAQH/MA0G
CSqGSIb3DQEBBQUAA4ICAQB3HP6jRXmpdSDYwkI9aOzQeJH4x/HDi/PNMOqdNje/
xdNzUy7HZWVYvvSVBkZ1DG/ghcUtn/wJ5m6/orBn3ncnyzgdKyXbWLnCGX/V61Pg
IPQpuGo7HzegenYaZqWz7NeXxGaVo3/y1HxUEmvmvSiioQM1cifGtz9/aJsJtIkn
5umlImenKKEV1Ly7R3Uz3Cjz/Ffac1o+xU+8NpkLF/67fkazJCCMH6dCWgy6SL3A
OB6oKFIVJhw8SD8vptHaDbpJSRBxifMtcop/85XUNDCvO4zkvlB1vPZ9ZmYZQdyL
43NA+PkoKy0qrdaQZZMq1Jdp+Lx/yeX255/zkkILp43jFyd44rZ+TfGEQN1WHlp4
RMjvoGwOX1uGlfoGkRSgBRj7TBn514VYMbXu687RS4WY2v+kny3PUFv/ZBfYSyjo
NZnU4Dce9kstgv+gaKMQRPcyL+4vZU7DV8nBIfNFilCXKMN/VnNBKtDV52qmtOsV
ghgai+QE09w15x7dg+44gIfWFHxNhvHKys+s4BBN8fSxAMLOsb5NGFHE8x58RAkm
IYWHjyPM6zB5AUPw1b2A0sDtQmCqoxJZfZUKrzyLz8gS2aVujRYN13KklHQ3EKfk
eKBG2KXVBe5rjMN/7Anf1MtXxsTY6O8qIuHZ5QlXhSYzE41yIlPlG6d7AGnTiBIg
eg==
-----END CERTIFICATE-----
Sure. We will add your root "Merge Delay Monitor Root" to our trusted roots. We will let you know once added.

Thank You.
It will be good that we get a test certificate signed by "Merge Delay Monitor Root" root for our testing purpose.

Thank You.
There will be an automatic probe consisting of adding a test certificate in the next 2 hours.
Expect it at around 1615 UTC.  Please let me know if you have any concerns after that.
We are still in the process of adding your root to our trusted roots. It will be available for testing latest by 20:00 UTC.
We have added root "Merge Delay Monitor Root" to our trusted roots. It is now ready for your testing.
Thanks, I can confirm that the Merge Delay probe is now working.
My monitor is now showing regular google monitoring certs, too.
Project Member

Comment 15 by bugdroid1@chromium.org, Aug 18 2015

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9563016b34d5518b1fb14c903170606797c3db26

commit 9563016b34d5518b1fb14c903170606797c3db26
Author: eranm <eranm@chromium.org>
Date: Tue Aug 18 10:08:41 2015

Certificate Transparency: Add Symantec's log

Symantec's log has been monitored for the required period and was
found compliant.

BUG= 483625 

Review URL: https://codereview.chromium.org/1287063007

Cr-Commit-Position: refs/heads/master@{#343873}

[modify] http://crrev.com/9563016b34d5518b1fb14c903170606797c3db26/net/cert/ct_known_logs_static.h

Comment 16 by eranm@chromium.org, Aug 19 2015

Labels: M-45 Merge-Request-45
Requesting this commit be merged into M-45, as the log qualifies and the change to introduce it is only a data change.
Labels: -Merge-Request-45 Merge-Review-45 Hotlist-Merge-Review
[Automated comment] Less than 2 weeks to go before stable on M45, manual review required.

Comment 18 by amin...@google.com, Aug 20 2015

Labels: -Merge-Review-45 Merge-Approved-45
Merge approved for M45 branch 2454.
Project Member

Comment 19 by bugdroid1@chromium.org, Aug 24 2015

Labels: -Merge-Approved-45 merge-merged-2454
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/65679797747f684279762d4630ed61ad446b11f8

commit 65679797747f684279762d4630ed61ad446b11f8
Author: Alex Mineer <amineer@google.com>
Date: Mon Aug 24 18:25:35 2015

Certificate Transparency: Add Symantec's log

Symantec's log has been monitored for the required period and was
found compliant.

BUG= 483625 

Review URL: https://codereview.chromium.org/1287063007

(cherry picked from commit 9563016b34d5518b1fb14c903170606797c3db26)

Cr-Original-Commit-Position: refs/heads/master@{#343873}
Cr-Commit-Position: refs/branch-heads/2454@{#407}
Cr-Branched-From: 12bfc3360892ec53cd00fc239a47e5298beb063b-refs/heads/master@{#338390}

[modify] http://crrev.com/65679797747f684279762d4630ed61ad446b11f8/net/cert/ct_known_logs_static.h

Eran: Safe to close?
Is there a chrome version available to test Symantec log server inclusion?
Status: Fixed
The dev channel of Chrome should definitely have the log included.
Marking as fixed, thanks everyone for the responsiveness handling this inclusion request.
Labels: -Hotlist-Merge-Review -merge-merged-2454 Merge-Merged-2454 Hotlist-Merge-review
We've detected the addition of the following trusted roots:

C=EU, L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287, O=AC Camerfirma S.A., CN=Chambers of Commerce Root - 2008

C=FR, O=Certplus, CN=Class 2 Primary CA

OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign

OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign

C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA

As per policy (https://www.chromium.org/Home/chromium-security/certificate-transparency/log-policy), please notify us of any and all changes to information gathered during the log inclusion process. In particular, added or removed trusted root certificates should be posted here in advance.
We understand the policy, and we’ll post new roots to chromium in advance of adding them.

Suggestion: state explicitly in the policy that a change to the trusted root list is considered 'information gathered during the Log Inclusion', and you want to know about such changes.
It might be helpful to understand why you felt the existing policy is non-obvious, considering it's explicitly listed, along with all the other information, about how to include a log. It seems quite obvious that this is information gathered during log inclusion - as you included it in the request to be included.

For the avoidance of confusion, this includes all the information listed under Application. If it changes, notify.
Following new trusted roots will be added to Symantec CT Log Server on Jul 15,2016

C=US, O=AffirmTrust, CN=AffirmTrust Commercial
C=US, O=AffirmTrust, CN=AffirmTrust Networking
C=US, O=AffirmTrust, CN=AffirmTrust Premium
C=US, O=AffirmTrust, CN=AffirmTrust Premium ECC
C=FR, O=Certplus, CN=Certplus Root CA G1
C=FR, O=Certplus, CN=Certplus Root CA G2
C=FR, O=OpenTrust, CN=OpenTrust Root CA G1
C=FR, O=OpenTrust, CN=OpenTrust Root CA G2
C=FR, O=OpenTrust, CN=OpenTrust Root CA G3
Blocking: 616303
Just found an old bug notifying us of a change in the trusted roots ( crbug.com/616303 ) that was still open. I've closed it and marked it as "blocking" this, to show the connection to this bug. Belated thanks for the notification.
Could you please add the DigiCert roots to this log? 

Comment 30 Deleted

On Saturday, April 22nd, 2017 from 08:00pm PT to 08:30PM PT, we will perform scheduled maintenance on ct.ws.symantec.com. During the maintenance window, the log will not be available for any operation. We expect that even with this maintenance window, the log will be well within Chrome's Log uptime policy.

Following new trusted roots will be added to Symantec CT Log Server on May 11,2017

C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA
C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA 2
Following new trusted roots will be added to Symantec CT Log Server on May 17,2017

C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 2009
C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 EV 2009
C=US, O=SecureTrust Corporation, CN=SecureTrust CA
C=US, O=SecureTrust Corporation, CN=Secure Global CA
C=US, OU=www.xrampsecurity.com, O=XRamp Security Services Inc, CN=XRamp Global Certification Authority
Following new trusted roots will be added to Symantec CT Log Server

C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
O=Cybertrust, Inc, CN=Cybertrust Global Root
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G2
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G3
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Federated ID Root CA
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G3
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Private Services Root
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4
C=US, O=GTE Corporation, OU=GTE CyberTrust Solutions, Inc., CN=GTE CyberTrust Global Root
C=US, O=Verizon Business, OU=OmniRoot, CN=Verizon Global Root CA
Myanmar language 
We'd like to shut this log down around Sept 2018. What's the process for log removal?
All trusted roots will be removed from this CT Log Server on 1-Oct-2018 00:00:00 UTC and the server will be shut down on 13-Oct-2018  00:00:00 UTC.

Sign in to add a comment