Certificate Transparency - WoSign CT log server inclusion request
Reported by
liangdong46@gmail.com,
Apr 21 2016
|
|||||
Issue descriptionContact Information: - email: ctlog@wosign.com; - phone number: +86-755-8600 8688 - Log Operator: Richard Wang, Jeff Tang, Dong Liang Log Server URL: https://ctlog.wosign.com Server public key: Attached file: ws-ctlog-key-public.pem Description: This log server is operated by WoSign (https://ctlog.wosign.com). This log server will act as a public log server that it will include all trusted root by Mozilla for free. WoSign will log all issued SSL certificates in this log server. MMD: 24 hours Accepted Roots: Attached file: ws-ctlog-trusted-roots.pem What is the expected behavior? What went wrong? N/A Did this work before? Chrome version: 44.0.2403.89 Channel: n/a OS Version: Flash Version:
,
Apr 21 2016
,
Apr 26 2016
,
May 4 2016
,
May 4 2016
Thank you for your request, we have started monitoring your log server. Should no issues be detected, the initial compliance monitoring phase will be complete on 2nd August 2016 and we will update this bug shortly after that date to confirm.
,
Aug 2 2016
This log has passed the initial 90 day compliance period and we will start the process to add this to Chrome.
,
Aug 5 2016
I'm had massive trouble downloading certificates from this log. Does the testing include the ability to call get-entries?
,
Aug 5 2016
I too have had massive trouble with this log. From some network vantage points the log is usable (barely), but from two vantage points in particular, get-sth regularly takes 5-10 seconds and large get-entries calls time out. Unfortunately, my primary log monitor is at one of those vantage points, so it's going to be a real headache for me to monitor this log.
,
Aug 8 2016
About the long time cost to request to WoSign’s log, I think this is because our log is deploying in Beijing. Currently, almost all log is deploying in American except Izenpe , CNNIC, and WoSign’s log. I think logs which deploy outside American can provide more chooses and in fact increase the CT environmental diversity. About agwa-b...@mm.beanwood.com mentions about “get-sth” request will cost 5-10 seconds, I had test it in https://www.dotcom-tools.com/website-speed-test.aspx, and most request was finished below 3 seconds and some long time cost on DNS, maybe you can try this. And about get-entries large download cause timeout, we are consider to change the max certificates return amount per request from 1000 to 100, although this change will split one request to ten requests and in fact it increase total download times. But In some CT client implements , client just raise an error and exit when meet an timeout error, this change can reduce the frequency of this kind of exit.
,
Aug 9 2016
I agree that it's good to deploy logs outside America, and I understand that latency is going to be higher when contacting logs that are overseas from the United States. The problem in this case isn't that WoSign's log is in China. Instead, the problem is that the peering between China Telecom and Level 3 is bad. I get 30% packet loss when pinging ctlog.wosign.com from 52.201.181.226 and 138.16.60.2. According to China Telecom's looking glass[1], the route from Beijing to these two IP addresses goes via Level 3. From other locations on the Internet I don't see any packet loss to ctlog.wosign.com. Those routes don't use Level 3. It looks like China Telecom is your ISP. Could you ask them to investigate their peering with Level 3? (My ISP for 52.201.181.226 (AWS) is already preferring NTT over Level 3 for routes *to* China Telecom, so there's nothing I can do on my end.) [1] http://ipms.chinatelecomglobal.com/public/lookglass/lookglassDisclaimer.html
,
Aug 22 2016
I think our CT log server passed the test, could you advise when it will be included in which version Chrome? thanks.
,
Aug 22 2016
The change to include it (https://chromiumcodereview-hr.appspot.com/2202823003/) is awaiting review. So long as that happens in the next few days (it should), it should be included in the next version of Chrome.
,
Aug 25 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/64cb9e2a71c89e801d45dc2cb1476305910851f3 commit 64cb9e2a71c89e801d45dc2cb1476305910851f3 Author: robpercival <robpercival@chromium.org> Date: Thu Aug 25 09:55:14 2016 Adds WoSign log to CT logs list It has recently completed its 90d compliance monitoring period. BUG= 605415 Review-Url: https://codereview.chromium.org/2202823003 Cr-Commit-Position: refs/heads/master@{#414378} [modify] https://crrev.com/64cb9e2a71c89e801d45dc2cb1476305910851f3/net/cert/ct_known_logs_static-inc.h
,
Aug 31 2016
,
Apr 11 2017
We are about to add (within the next 72 hours) the "GDCA TrustAUTH R5 ROOT" root to the list of accepted roots of the WoSign CT log server. -----BEGIN CERTIFICATE----- MIIFiDCCA3CgAwIBAgIIfQmX/vBH6nowDQYJKoZIhvcNAQELBQAwYjELMAkGA1UE BhMCQ04xMjAwBgNVBAoMKUdVQU5HIERPTkcgQ0VSVElGSUNBVEUgQVVUSE9SSVRZ IENPLixMVEQuMR8wHQYDVQQDDBZHRENBIFRydXN0QVVUSCBSNSBST09UMB4XDTE0 MTEyNjA1MTMxNVoXDTQwMTIzMTE1NTk1OVowYjELMAkGA1UEBhMCQ04xMjAwBgNV BAoMKUdVQU5HIERPTkcgQ0VSVElGSUNBVEUgQVVUSE9SSVRZIENPLixMVEQuMR8w HQYDVQQDDBZHRENBIFRydXN0QVVUSCBSNSBST09UMIICIjANBgkqhkiG9w0BAQEF AAOCAg8AMIICCgKCAgEA2aMW8Mh0dHeb7zMNOwZ+Vfy1YI92hhJCfVZmPoiC7XJj Dp6L3TQsAlFRwxn9WVSEyfFrs0yw6ehGXTjGoqcuEVe6ghWinI9tsJlKCvLriXBj TnnEt1u9ol2x8kECK62pOqPseQrsXzrj/e+APK00mxqriCZ7VqKChh/rNYmDf1+u KU49tm7srsHwJ5uu4/Ts765/94Y9cnrrpftZTqfrlYwiOXnhLQiPzLyRuEH3FMEj qcOtmkVEs7LXLM3GKeJQEK5cy4KOFxg2fZfmiJqwTTQJ9Cy5WmYqsBebnh52nUpm MUHfP/vFBu8btn4aRjb3ZGM74zkYI+dndRTVdVeSN72+ahsmUPI2JgaQxXABZG12 ZuGR224HwGGALrIuL4xwp9E7PLOR5G62xDtw8mySlwnNR30YwPO7ng/Wi64HtloP zgsMR6flPri9fcebNaBhlzpBdRfMK5Z3KpIhHtmVdiBnaM8Nvd/WHwlqmuLMc3Gk L30SgLdTMEZeS1SZD2fJpcjyIMGC7J0R38IC+xo70e0gmu9lZJIQDSri3nDxGGeC jGHeuLzRL5z7D9Ar7Rt2ueQ5Vfj4oR24qoAATILnsn8JuLwwoC8N9VKejveSswoA HQBUlwbgsQfZxw9cZX08bVlX5O2ljelAU58VS6Bx9hoh49pwBiFYFIeFd3mqgnkC AwEAAaNCMEAwHQYDVR0OBBYEFOLJQJ9NzuiaoXzPDj9lxSmIahlRMA8GA1UdEwEB /wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQDRSVfg p8xoWLoBDysZzY2wYUWsEe1jUGn4H3++Fo/9nesLqjJHdtJnJO29fDMylyrHBYZm DRd9FBUb1Ov9H5r2XpdptxolpAqzkT9fNqyL7FeoPueBihhXOYV0GkLH6VsTX4/5 COmSdI31R9KrO9b7eGZONn356ZLpBN79SWP8bfsUcZNnL0dKt7n/HipzcEYwv1ry L3ml4Y0M2fmyYzeMN2WFcGpcWwlyua1jPLHd+PwyvzeG5LuOmCd+uh8W4XAR8gPf JWIyJyYYMoSf/wA6E7qaTfRPuBRwIrHKK5DOKcFw9C+df/KQHtZa37dG/OaG+svg IHZ6uqbL9XzeYqWxi+7egmaKTjowHz+Ay60nugxe19CxVsp3cbK1daFQqUBDF8Io 2c9Si1vIY9RCPqAzekYu9wogRlR+ak8x8YF+QnQ4ZXMn7sZ8uI7XpTrXmKGcjBBV 09tL7ECQ8s1uV9JiDnxXk7Gnbc2dg7sq5+W2O3FYrf3RRbxake5TFW/TRQl1brqQ XR4EzzffHqhmsYzmIGrv/EhOdJhCrylvLmrH+33RZjEizIYAfmaDDEL0vTSSwxrq T8p+ck0LcIymSLumoRT2+1hEmRSuqguTaaApJUqlyyvdimYHFngVV3Eb7PVHhPOe MTd61X8kreS8/f3MboPoDKi3QWwH3b08hpcv0g== -----END CERTIFICATE-----
,
Feb 13 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3cba7db7bd2364806586dd386180fd0129f2ea9a commit 3cba7db7bd2364806586dd386180fd0129f2ea9a Author: Rob Percival <robpercival@chromium.org> Date: Tue Feb 13 20:35:35 2018 Set disqualification date for Wosign and StartCom CT logs See: https://groups.google.com/a/chromium.org/d/msg/ct-policy/UcCqlxuz_1c/Mf_939xYAQAJ https://groups.google.com/a/chromium.org/d/msg/ct-policy/W1Ty2gO0JNA/ZbQxlgRZAQAJ Bug: 605415 , 611672 Change-Id: I102fa71d98cdeceff5ec723d7a8900ea4b3ea9a9 Reviewed-on: https://chromium-review.googlesource.com/911308 Commit-Queue: Ryan Sleevi <rsleevi@chromium.org> Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Cr-Commit-Position: refs/heads/master@{#536453} [modify] https://crrev.com/3cba7db7bd2364806586dd386180fd0129f2ea9a/net/data/ssl/certificate_transparency/log_list.json |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ashej...@chromium.org
, Apr 21 2016