Certificate Transparency - StartCom CT log server inclusion request
Reported by
startsslctlog@gmail.com,
May 13 2016
|
||||||||
Issue descriptionStartCom is requesting inclusion of Certificate Transparency log into Chrome. Per https://sites.google.com/a/chromium.org/dev/Home/chromium-security/certificate-transparency/log-policy, here are the details for StartCom's log: Contact Information: - Email: ct@startssl.com - Phone number: +1.213.341.0329 - Log Operator: Eddy Nigg, Andy Ligg Log Server URL: https://ct.startssl.com public key: Attached file: startcom_ct_public_key.pem description: This log server is operated by StartCom (https://ct.startssl.com), this log server will not only log all issued SSL certificate by StartCom roots, but also act as a public log server that it will include all trusted root by Mozilla for FREE. However, during the testing and log inclusion process, we are only including the StartCom roots as authorized. Additional root entries will be evaluated after receiving an inclusion request. MMD: 24 hours Accepted Root Certificates of the Log: Attached file: startcom_ct_accepted_roots.pem
,
May 16 2016
,
May 16 2016
Thank you for your request, we have started monitoring your log server. Should no issues be detected, the initial compliance monitoring phase will be complete on August 14 2016 and we will update this bug shortly after that date to confirm.
,
May 30 2016
We add the attached WoSign roots to the list of accepted roots of the StartCom CT log server.
Issuer: C=CN, O=WoSign CA Limited, CN=CA \xE6\xB2\x83\xE9\x80\x9A\xE6\xA0\xB9\xE8\xAF\x81\xE4\xB9\xA6
Issuer: C=CN, O=WoSign CA Limited, CN=CA WoSign ECC Root
Issuer: C=CN, O=WoSign CA Limited, CN=Certification Authority of WoSign
Issuer: C=CN, O=WoSign CA Limited, CN=Certification Authority of WoSign G2
,
Aug 22 2016
Could I ask whether startcom's log (ct.startssl.com) had passed the 90 day compliance period? If there is any problem, please contract me, thanks!
,
Aug 22 2016
Hi, Sorry for the delay. The StartCom CT log has successfully passed the 90 day compliance monitoring tests. It will be included in Chrome as soon as we can complete the necessary work.
,
Aug 22 2016
,
Aug 25 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/19ad77688a08480a7641d621787525ad336cbe69 commit 19ad77688a08480a7641d621787525ad336cbe69 Author: mhs <mhs@google.com> Date: Thu Aug 25 15:14:40 2016 Add StartCom log to list of known CT Logs BUG= 611672 Review-Url: https://codereview.chromium.org/2269633002 Cr-Commit-Position: refs/heads/master@{#414440} [modify] https://crrev.com/19ad77688a08480a7641d621787525ad336cbe69/net/cert/ct_known_logs_static-inc.h
,
Aug 31 2016
,
Jan 11 2017
We had update our log to include the following additional roots today: //R1 GlobalSign Root Certificate -----BEGIN CERTIFICATE----- MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp 1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8 9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE 38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A== -----END CERTIFICATE----- //R3 GlobalSign Root Certificate -----BEGIN CERTIFICATE----- MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4G A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4 MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEG A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8 RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsT gHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zd QQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZ XriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAw DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+o LkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZU RUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMp jjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK 6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQX mcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecs Mx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpH WD9f -----END CERTIFICATE----
,
Mar 31 2017
I just reported the following to ct@startssl.com: Since 2017-03-31 02:25:40 UTC, ct.startssl.com has been closing the connection in the middle of get-entries responses for 10 or more entries. Example: curl -sS 'https://ct.startssl.com/ct/v1/get-entries?start=1&end=10' > /dev/null curl: (18) transfer closed with outstanding read data remaining This is a violation of RFC6962, which requires the response to get-entries be a valid JSON document. If a log doesn't want to return all the entries that the client requested, the correct behavior is to return a valid JSON document containing the maximum number of entries the log is willing to return.
,
Apr 1 2017
ct@startssl.com fixed the get-entries problem and replied to me at around 2017-04-01 02:25 UTC. They said it was caused by a "server disk problem."
,
Jul 5 2017
Hi, We’ve seen intermittent evidence over the last 24 hours of the startssl log returning empty consistency proofs. An example of when this occurred is 2017/07/04-09:29:56 PDT. The request was a consistency proof from tree size 302901 to 302904. Additionally, it appears that the log returns empty consistency proofs for tree size values that are out of range, which is not compliant with RFC 6962. Section 4.4 states “Both tree sizes must be from existing v1 STHs”. We can see that the log is currently around 300K entries: curl -i 'https://ct.startssl.com/ct/v1/get-sth' HTTP/1.1 200 OK Server: nginx/1.6.3 Date: Wed, 05 Jul 2017 15:04:39 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive { "tree_size": 303325, "timestamp": 1499267075864, "sha256_root_hash": "ponN+XkjHDp51CgW4K5GhdT3v2oQZx0PiOK0E\/Zfknw=", "tree_head_signature": "BAMASDBGAiEAiOJI5hCAMmMMXaM5M9RNBE+eVFB2tL8Cbguzpdui\/sECIQCMbFbyVJzssWISZ1VZ5\/VeqC2LS11GJqt+uzN+XYl1gA==" } But this request with sizes ~100 times bigger than the STH: curl -i 'https://ct.startssl.com/ct/v1/get-sth-consistency?first=30329100&second=30329200' Produces the response: HTTP/1.1 200 OK Server: nginx/1.6.3 Date: Wed, 05 Jul 2017 15:03:25 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive { "consistency": [ ] } Joining the dots up, could there be a situation happening where there's skew across the cluster; requesting the latest STH from one node returns a fresh STH, but the subsequent request for an STH consistency proof arrives at a different node which is not up-to-date, and so the response is an empty consistency proof as shown above?
,
Feb 13 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3cba7db7bd2364806586dd386180fd0129f2ea9a commit 3cba7db7bd2364806586dd386180fd0129f2ea9a Author: Rob Percival <robpercival@chromium.org> Date: Tue Feb 13 20:35:35 2018 Set disqualification date for Wosign and StartCom CT logs See: https://groups.google.com/a/chromium.org/d/msg/ct-policy/UcCqlxuz_1c/Mf_939xYAQAJ https://groups.google.com/a/chromium.org/d/msg/ct-policy/W1Ty2gO0JNA/ZbQxlgRZAQAJ Bug: 605415 , 611672 Change-Id: I102fa71d98cdeceff5ec723d7a8900ea4b3ea9a9 Reviewed-on: https://chromium-review.googlesource.com/911308 Commit-Queue: Ryan Sleevi <rsleevi@chromium.org> Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Cr-Commit-Position: refs/heads/master@{#536453} [modify] https://crrev.com/3cba7db7bd2364806586dd386180fd0129f2ea9a/net/data/ssl/certificate_transparency/log_list.json |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by mge...@chromium.org
, May 13 2016Status: Untriaged (was: Unconfirmed)