Adding TE-NeedsFurtherTriage as it can't be triaged from TE end.

This does not seem like a good precedent to set - not accepting any roots until you pass compliance testing.

For example, it does not help reassure the public about the utility in this log or what it's policies may be.

Per the on-going policy discussion here: https://groups.google.com/a/chromium.org/d/msg/ct-policy/2ZL4tSCwbYU/xcck3xZ8BQAJ

Google plan to launch Skydiver and Icarus as a pair of logs, which between them cover the same open set of roots as the other Google logs Aviator, Pilot & Rocketeer.

I aim to have finalised the root split by EOB 2016-Aug-05 and will update this bug with the Skydiver root set then.

Please find attached the revised set of roots accepted by Google's Skydiver CT log, in google-skydiver-roots-20160805.pem

In summary: Skydiver will not accept certs issued by Let's Encrypt or other subordinate CAs signed by IdenTrust DST X3, but beyond that has the same open root set as Google's Aviator, Pilot and Rocketeer.

We are launching Skydiver in a pair with Icarus, which only accepts certs issued by Let's Encrypt or other subordinate CAs signed by IdenTrust DST X3.

The list of subjects from Skydiver's accepted roots is too long for a Chromium bug comment, unfortunately :(

Deleted: google-skydiver-roots-20160805.pem 923 KB

google-skydiver-roots-20160805.pem 923 KB Download

Thank you for your request, we have started monitoring your log server.
Should no issues be detected, the initial compliance monitoring phase
will be complete on 3rd November 2016 and we will update this bug
shortly after that date to confirm.

he attached root certificates should be accepted by Skydiver within the next couple of hours. This brings us up to date with the latest roots trusted by Apple and Microsoft.

Deleted: added.pem 39.2 KB

added.pem 39.2 KB Download

This log has passed the initial 90 day compliance period and we will start the process to add this to Chrome.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/403c8359bdc2b635d480a80329c41be422583c1f

commit 403c8359bdc2b635d480a80329c41be422583c1f
Author: robpercival <robpercival@chromium.org>
Date: Thu Nov 03 19:29:36 2016

Add icarus and skydiver CT logs

They have completed their initial compliance monitoring successfully.

BUG= 632752 , 632753 

Review-Url: https://codereview.chromium.org/2477563004
Cr-Commit-Position: refs/heads/master@{#429670}

[modify] https://crrev.com/403c8359bdc2b635d480a80329c41be422583c1f/net/cert/ct_known_logs_static-inc.h

Please ensure Milestones are set when marking an issue Fixed.

As pointed out in https://groups.google.com/forum/#!topic/certificate-transparency/JZPpFqU_KVM, there will only be a single trusted Google CT log (Pilot) accepting submissions for the 6-10 hours that Rocketeer is read-only. Were this to fail, no CAs would be able to issue EV certificates for that time period.If we cherry-pick this update to the known logs list, and delay the Rocketeer maintenance by a week, then there will be 3 trusted Google logs during this maintenance period instead. 

However, I realise that this is very much a last minute request!

[Automated comment] Less than 2 weeks to go before stable on M55, manual review required.

Is this change applicable to all OSs or any specific OS?

Certificate Transparency checks are performed on all platforms except for mobile I believe. This is just a data change (adds a couple of elements to the array of CT logs), so carries minimal risk.

This is apparently something we have prior agreement to be able to do, in general. Quoting eranm@chromium.org: "Ryan [Sleevi] very helpfully negotiated an agreement from the Chrome TPMs to cherry-pick log inclusion changes which they've upheld on previous occasions."

Approving merge to M55 branch 2883 based on comment #20, #21 and per chat with  robpercival@. Please merge ASAP. Merge has to happen today (Monday) before 4:00 PM PT in order to make to desktop final build cut.

Per discussions with Ryan Hurst, I don't think we should be merging this, especially not this close to branch, as a matter of policy.

We did not get to finish that conversation. I think it is a mistake not to take this minor change. 

The logs in question have met the inclusion policy requirements (90 days of testing) and have been in 56 for several weeks.

The inclusion into 55 will significantly de-risk two log changes happening in the coming weeks. Should an issue come up when we upgrade Rocketeer and move Aviator to read-only having these two logs trusted by Chrome would potentially prevent the need for an emergency update to address any failures that might happen.

To the policy issue, the question is if these logs have met the same criteria other logs would have to -- they do.

The question is one of train only.

Since this reduces the risk of needing a emergency fix at a later date, does not treat "google" any differently than anyone else, is extremely low risk and is ready for inclusion taking this is the right thing to do in my opinion.

We're not in sync. In the future, let's figure out how to better coordinate merge requests. I don't think it's appropriate or desirable for log operators to be setting merge requests for their logs.

I agree this isn't how it should have happened, but let's take this for M55.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b471372e332a57d76d02fd2a0f616372192d60e6

commit b471372e332a57d76d02fd2a0f616372192d60e6
Author: Andrew R. Whalley <awhalley@chromium.org>
Date: Mon Nov 28 20:42:30 2016

[M55 merge] Add icarus and skydiver CT logs

They have completed their initial compliance monitoring successfully.

BUG= 632752 , 632753 

Review-Url: https://codereview.chromium.org/2477563004
Cr-Commit-Position: refs/heads/master@{#429670}
(cherry picked from commit 403c8359bdc2b635d480a80329c41be422583c1f)

Review URL: https://codereview.chromium.org/2537583002 .

Cr-Commit-Position: refs/branch-heads/2883@{#669}
Cr-Branched-From: 614d31daee2f61b0180df403a8ad43f20b9f6dd7-refs/heads/master@{#423768}

[modify] https://crrev.com/b471372e332a57d76d02fd2a0f616372192d60e6/net/cert/ct_known_logs_static-inc.h

The attached root certificates should be accepted by Skydiver within the next couple of days. This brings us up to date with the latest roots trusted by Apple, Microsoft and Mozilla.

Deleted: added_skydiver.pem 6.3 KB

added_skydiver.pem 6.3 KB Download

The attached root certificates should be accepted by Skydiver within the next 7 days. This brings us up to date with the latest roots trusted by Apple, Microsoft and Mozilla.

Deleted: added_skydiver.pem 21.0 KB

added_skydiver.pem 21.0 KB Download

The attached root certificates should be accepted by Skydiver within the next few days. This brings us up-to-date with the latest roots trusted by Apple, Microsoft and Mozilla.

Deleted: added.pem 3.6 KB

added.pem 3.6 KB Download

The following root certificates should be accepted by this log within the next few days. This brings us up-to-date with the latest roots trusted by Apple, Microsoft and Mozilla.

https://bugs.chromium.org/p/chromium/issues/attachment?aid=312118

The attached root certificates should be accepted by this log within the next few days. This brings us up-to-date with the latest roots trusted by Apple, Microsoft and Mozilla.

Deleted: added.pem 5.2 KB

added.pem 5.2 KB Download