Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 3 users
Status: Verified
Owner:
Closed: Aug 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Feature



Sign in to add a comment
Certificate Transparency - WoSign CT log server inclusion request
Reported by liangdong46@gmail.com, Apr 21 2016 Back to list
Contact Information:
- email: ctlog@wosign.com;
- phone number:  +86-755-8600 8688
- Log Operator: Richard Wang, Jeff Tang, Dong Liang

Log Server URL: https://ctlog.wosign.com

Server public key: Attached file: ws-ctlog-key-public.pem

Description: 
This log server is operated by WoSign (https://ctlog.wosign.com). This log server will act as a public log server that it will include all trusted root by Mozilla for free. 
WoSign will log all issued SSL certificates in this log server.

MMD: 24 hours

Accepted Roots: Attached file: ws-ctlog-trusted-roots.pem

What is the expected behavior? 

What went wrong? N/A 

Did this work before? 

Chrome version: 44.0.2403.89  Channel: n/a
OS Version: 
Flash Version:

 
ws-ctlog-key-public.pem
178 bytes Download
ws-ctlog-trusted-roots.pem
273 KB Download
Components: Internals>Network
Components: -Internals>Network Internals>Network>CertTrans
Owner: eranm@chromium.org
Status: Untriaged
Labels: -Type-Bug Type-Feature
Owner: robpercival@chromium.org
Status: Started
Thank you for your request, we have started monitoring your log server. Should no issues be detected, the initial compliance monitoring phase will be complete on 2nd August 2016 and we will update this bug shortly after that date to confirm.
This log has passed the initial 90 day compliance period and we will start
the process to add this to Chrome.
Comment 7 by pzbo...@gmail.com, Aug 5 2016
I'm had massive trouble downloading certificates from this log.  Does the testing include the ability to call get-entries?
I too have had massive trouble with this log.  From some network vantage points the log is usable (barely), but from two vantage points in particular, get-sth regularly takes 5-10 seconds and large get-entries calls time out.  Unfortunately, my primary log monitor is at one of those vantage points, so it's going to be a real headache for me to monitor this log.
Comment 9 Deleted
About the long time cost to request to WoSign’s log, I think this is because our log is deploying in Beijing. Currently, almost all log is deploying in American except Izenpe , CNNIC, and WoSign’s log. I think logs which deploy outside American can provide more chooses and in fact increase the CT environmental diversity.
About agwa-b...@mm.beanwood.com mentions about “get-sth” request will cost 5-10 seconds, I had test it in https://www.dotcom-tools.com/website-speed-test.aspx, and most request was finished below 3 seconds and some long time cost on DNS, maybe you can try this.
And about get-entries large download cause timeout, we are consider to change the max certificates return amount per request from 1000 to 100, although this change will split one request to ten requests and in fact it increase total download times. But In some CT client implements , client just raise an error and exit when meet an timeout error, this change can reduce the frequency of this kind of exit.

I agree that it's good to deploy logs outside America, and I understand that latency is going to be higher when contacting logs that are overseas from the United States.  The problem in this case isn't that WoSign's log is in China.  Instead, the problem is that the peering between China Telecom and Level 3 is bad.  I get 30% packet loss when pinging ctlog.wosign.com from 52.201.181.226 and 138.16.60.2.  According to China Telecom's looking glass[1], the route from Beijing to these two IP addresses goes via Level 3.  From other locations on the Internet I don't see any packet loss to ctlog.wosign.com.  Those routes don't use Level 3.

It looks like China Telecom is your ISP.  Could you ask them to investigate their peering with Level 3?  (My ISP for 52.201.181.226 (AWS) is already preferring NTT over Level 3 for routes *to* China Telecom, so there's nothing I can do on my end.)

[1] http://ipms.chinatelecomglobal.com/public/lookglass/lookglassDisclaimer.html
Comment 12 by wos...@gmail.com, Aug 22 2016
I think our CT log server passed the test, could you advise when it will be included in which version Chrome? thanks.
The change to include it (https://chromiumcodereview-hr.appspot.com/2202823003/) is awaiting review. So long as that happens in the next few days (it should), it should be included in the next version of Chrome.
Project Member Comment 14 by bugdroid1@chromium.org, Aug 25 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/64cb9e2a71c89e801d45dc2cb1476305910851f3

commit 64cb9e2a71c89e801d45dc2cb1476305910851f3
Author: robpercival <robpercival@chromium.org>
Date: Thu Aug 25 09:55:14 2016

Adds WoSign log to CT logs list

It has recently completed its 90d compliance monitoring period.

BUG= 605415 

Review-Url: https://codereview.chromium.org/2202823003
Cr-Commit-Position: refs/heads/master@{#414378}

[modify] https://crrev.com/64cb9e2a71c89e801d45dc2cb1476305910851f3/net/cert/ct_known_logs_static-inc.h

Labels: M-54
Status: Verified
We are about to add (within the next 72 hours) the "GDCA TrustAUTH R5 ROOT"  root to the list of accepted roots of the WoSign CT log server.

-----BEGIN CERTIFICATE-----
MIIFiDCCA3CgAwIBAgIIfQmX/vBH6nowDQYJKoZIhvcNAQELBQAwYjELMAkGA1UE
BhMCQ04xMjAwBgNVBAoMKUdVQU5HIERPTkcgQ0VSVElGSUNBVEUgQVVUSE9SSVRZ
IENPLixMVEQuMR8wHQYDVQQDDBZHRENBIFRydXN0QVVUSCBSNSBST09UMB4XDTE0
MTEyNjA1MTMxNVoXDTQwMTIzMTE1NTk1OVowYjELMAkGA1UEBhMCQ04xMjAwBgNV
BAoMKUdVQU5HIERPTkcgQ0VSVElGSUNBVEUgQVVUSE9SSVRZIENPLixMVEQuMR8w
HQYDVQQDDBZHRENBIFRydXN0QVVUSCBSNSBST09UMIICIjANBgkqhkiG9w0BAQEF
AAOCAg8AMIICCgKCAgEA2aMW8Mh0dHeb7zMNOwZ+Vfy1YI92hhJCfVZmPoiC7XJj
Dp6L3TQsAlFRwxn9WVSEyfFrs0yw6ehGXTjGoqcuEVe6ghWinI9tsJlKCvLriXBj
TnnEt1u9ol2x8kECK62pOqPseQrsXzrj/e+APK00mxqriCZ7VqKChh/rNYmDf1+u
KU49tm7srsHwJ5uu4/Ts765/94Y9cnrrpftZTqfrlYwiOXnhLQiPzLyRuEH3FMEj
qcOtmkVEs7LXLM3GKeJQEK5cy4KOFxg2fZfmiJqwTTQJ9Cy5WmYqsBebnh52nUpm
MUHfP/vFBu8btn4aRjb3ZGM74zkYI+dndRTVdVeSN72+ahsmUPI2JgaQxXABZG12
ZuGR224HwGGALrIuL4xwp9E7PLOR5G62xDtw8mySlwnNR30YwPO7ng/Wi64HtloP
zgsMR6flPri9fcebNaBhlzpBdRfMK5Z3KpIhHtmVdiBnaM8Nvd/WHwlqmuLMc3Gk
L30SgLdTMEZeS1SZD2fJpcjyIMGC7J0R38IC+xo70e0gmu9lZJIQDSri3nDxGGeC
jGHeuLzRL5z7D9Ar7Rt2ueQ5Vfj4oR24qoAATILnsn8JuLwwoC8N9VKejveSswoA
HQBUlwbgsQfZxw9cZX08bVlX5O2ljelAU58VS6Bx9hoh49pwBiFYFIeFd3mqgnkC
AwEAAaNCMEAwHQYDVR0OBBYEFOLJQJ9NzuiaoXzPDj9lxSmIahlRMA8GA1UdEwEB
/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQDRSVfg
p8xoWLoBDysZzY2wYUWsEe1jUGn4H3++Fo/9nesLqjJHdtJnJO29fDMylyrHBYZm
DRd9FBUb1Ov9H5r2XpdptxolpAqzkT9fNqyL7FeoPueBihhXOYV0GkLH6VsTX4/5
COmSdI31R9KrO9b7eGZONn356ZLpBN79SWP8bfsUcZNnL0dKt7n/HipzcEYwv1ry
L3ml4Y0M2fmyYzeMN2WFcGpcWwlyua1jPLHd+PwyvzeG5LuOmCd+uh8W4XAR8gPf
JWIyJyYYMoSf/wA6E7qaTfRPuBRwIrHKK5DOKcFw9C+df/KQHtZa37dG/OaG+svg
IHZ6uqbL9XzeYqWxi+7egmaKTjowHz+Ay60nugxe19CxVsp3cbK1daFQqUBDF8Io
2c9Si1vIY9RCPqAzekYu9wogRlR+ak8x8YF+QnQ4ZXMn7sZ8uI7XpTrXmKGcjBBV
09tL7ECQ8s1uV9JiDnxXk7Gnbc2dg7sq5+W2O3FYrf3RRbxake5TFW/TRQl1brqQ
XR4EzzffHqhmsYzmIGrv/EhOdJhCrylvLmrH+33RZjEizIYAfmaDDEL0vTSSwxrq
T8p+ck0LcIymSLumoRT2+1hEmRSuqguTaaApJUqlyyvdimYHFngVV3Eb7PVHhPOe
MTd61X8kreS8/f3MboPoDKi3QWwH3b08hpcv0g==
-----END CERTIFICATE-----
Sign in to add a comment