Certificate Transparency - Google "Icarus" log server inclusion request |
||||||||||||||||||||
Issue descriptionContact Information: - email: google-ct-logs@googlegroups.com - phone number: +442070313000 (Google UK) - Log Operator: Al Cutter, Eran Messeri, Pierre Phaneuf, Paul Hadfield, Martin Smith, Rob Percival, Kat Joyce Log Server URL: https://ct.googleapis.com/icarus Log ID: KTxRllTIOWW6qlD8WAfUt2+/WHopctykwwz05UVH9Hg= Server public key: Attached file: google-icarus-key-public.pem Description: Google's sixth CT log, operating since 2016-Jul-27. At time of application Icarus will log probe certificates that chain to the Chromium Compliance Monitor root. Further roots will be announced on this bug during the compliance test period. MMD: 24 hours Accepted roots: Attached file: google-icarus-roots-20160729.pem
,
Aug 1 2016
Adding TE-NeedsFurtherTriage as it can't be triaged from TE end.
,
Aug 1 2016
,
Aug 1 2016
,
Aug 1 2016
This does not seem like a good precedent to set - not accepting any roots until you pass compliance testing. For example, it does not help reassure the public about the utility in this log or what it's policies may be.
,
Aug 1 2016
Per the on-going policy discussion here: https://groups.google.com/a/chromium.org/d/msg/ct-policy/2ZL4tSCwbYU/xcck3xZ8BQAJ Google plan to launch Icarus and Skydiver as a pair of logs, which between them cover the same open set of roots as the other Google logs Aviator, Pilot & Rocketeer. I aim to have finalised the root split by EOB 2016-Aug-05 and will update this bug with the Icarus root set then.
,
Aug 2 2016
,
Aug 5 2016
Please find attached the revised set of roots accepted by Google's Icarus CT log, in google-icarus-roots-20160805.pem In summary, these are: Subject: C=GB, ST=London, O=Google UK Ltd., OU=Certificate Transparency, CN=Merge Delay Monitor Root Subject: C=US, O=Internet Security Research Group, CN=ISRG Root X1 Subject: O=Digital Signature Trust Co., CN=DST Root CA X3
,
Aug 5 2016
Thank you for your request, we have started monitoring your log server. Should no issues be detected, the initial compliance monitoring phase will be complete on 3rd November 2016 and we will update this bug shortly after that date to confirm.
,
Nov 3 2016
This log has passed the initial 90 day compliance period and we will start the process to add this to Chrome.
,
Nov 3 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/403c8359bdc2b635d480a80329c41be422583c1f commit 403c8359bdc2b635d480a80329c41be422583c1f Author: robpercival <robpercival@chromium.org> Date: Thu Nov 03 19:29:36 2016 Add icarus and skydiver CT logs They have completed their initial compliance monitoring successfully. BUG= 632752 , 632753 Review-Url: https://codereview.chromium.org/2477563004 Cr-Commit-Position: refs/heads/master@{#429670} [modify] https://crrev.com/403c8359bdc2b635d480a80329c41be422583c1f/net/cert/ct_known_logs_static-inc.h
,
Nov 7 2016
,
Nov 21 2016
Please ensure Milestones are set when marking an issue Fixed.
,
Nov 28 2016
As pointed out in https://groups.google.com/forum/#!topic/certificate-transparency/JZPpFqU_KVM, there will only be a single trusted Google CT log (Pilot) accepting submissions for the 6-10 hours that Rocketeer is read-only. Were this to fail, no CAs would be able to issue EV certificates for that time period.If we cherry-pick this update to the known logs list, and delay the Rocketeer maintenance by a week, then there will be 3 trusted Google logs during this maintenance period instead. However, I realise that this is very much a last minute request!
,
Nov 28 2016
[Automated comment] Less than 2 weeks to go before stable on M55, manual review required.
,
Nov 28 2016
Is this change applicable to all OSs or any specific OS?
,
Nov 28 2016
Certificate Transparency checks are performed on all platforms except for mobile I believe. This is just a data change (adds a couple of elements to the array of CT logs), so carries minimal risk.
,
Nov 28 2016
This is apparently something we have prior agreement to be able to do, in general. Quoting eranm@chromium.org: "Ryan [Sleevi] very helpfully negotiated an agreement from the Chrome TPMs to cherry-pick log inclusion changes which they've upheld on previous occasions."
,
Nov 28 2016
Approving merge to M55 branch 2883 based on comment #20, #21 and per chat with robpercival@. Please merge ASAP. Merge has to happen today (Monday) before 4:00 PM PT in order to make to desktop final build cut.
,
Nov 28 2016
Per discussions with Ryan Hurst, I don't think we should be merging this, especially not this close to branch, as a matter of policy. We have a playbook for this. Let's sync up and figure out where we're dropping the ball.
,
Nov 28 2016
I agree this isn't how it should have happened, but let's take this for M55.
,
Nov 28 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b471372e332a57d76d02fd2a0f616372192d60e6 commit b471372e332a57d76d02fd2a0f616372192d60e6 Author: Andrew R. Whalley <awhalley@chromium.org> Date: Mon Nov 28 20:42:30 2016 [M55 merge] Add icarus and skydiver CT logs They have completed their initial compliance monitoring successfully. BUG= 632752 , 632753 Review-Url: https://codereview.chromium.org/2477563004 Cr-Commit-Position: refs/heads/master@{#429670} (cherry picked from commit 403c8359bdc2b635d480a80329c41be422583c1f) Review URL: https://codereview.chromium.org/2537583002 . Cr-Commit-Position: refs/branch-heads/2883@{#669} Cr-Branched-From: 614d31daee2f61b0180df403a8ad43f20b9f6dd7-refs/heads/master@{#423768} [modify] https://crrev.com/b471372e332a57d76d02fd2a0f616372192d60e6/net/cert/ct_known_logs_static-inc.h
,
Jul 14 2017
|
||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Jul 30 2016