Certificate Transparency - Symantec SIRIUS Log Server Inclusion
Reported by
dl-eng-s...@symantec.com,
Feb 15 2017
|
||||||||||||||||
Issue descriptionThis is the third Certificate Transparency Log server “SIRIUS" operated by Symantec. At this time this server will be used by Symantec to log Symantec Certificate Authority issued certificates. All accepted Root Certificates by this log are attached. It includes 18 roots from Symantec and "Merge Delay Monitor Root" from Google. Log Server URL: https://sirius.ws.symantec.com/ct/v1 MMD: 24 hours HTTPS supported: yes Operator: Symantec Contact: - email: DL-ENG-Symantec-SIRIUS-CT-Log@symantec.com - Phone: +1 (650) 527-4466 - contact persons: Symantec Authentication Services Production Operations Log Server Public Key: -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEowJkhCK7JewN47zCyYl93UXQ7uYV hY/Z5xcbE4Dq7bKFN61qxdglnfr0tPNuFiglN+qjN2Syxwv9UeXBBfQOtQ== -----END PUBLIC KEY----- What steps will reproduce the problem? What is the expected result? Symantec SIRIUS CT Log Server inclusion in Chrome. What happens instead? Please provide any additional information below. Attach a screenshot if possible.
,
Feb 17 2017
Are there any plans to extend this logging to any non-Symantec issued certificates? Can you please expand on what you mean by "Symantec Certificate Authority" issued certificates? For example, is this limited to the set of certificates issued by Symantec infrastructure, does this include the activities of RAs (past, present, or future)? Of sub-CAs, either technically constrained or independently operated? The question is relevant to the https://www.chromium.org/Home/chromium-security/certificate-transparency/log-policy and understanding whether the proposed Log is "recognized to be operating in the public interest"
,
Feb 20 2017
Adding Rob as FYI.
,
Feb 21 2017
,
Feb 23 2017
Yes, we’re going to extend logging to non-Symantec issued certificates. "Symantec Certificate Authority” issued certificates includes all certificates issued by Symantec and all RAs that chain up to the attached 18 publicly trusted roots.
,
Feb 23 2017
,
Feb 25 2017
@rob/eran: Sounds like we have enough to progress and begin monitoring. @Symantec: To better ensure that future policy changes properly consider the ecosystem of both CAs and Log Operators, can you clarify why you're requesting an additional log, given both the existing Symantec and Vega logs? What's the intended purpose of this log relative to those?
,
Feb 28 2017
Monitoring started at ca. 1300 GMT, 2017-Feb-28
,
Mar 3 2017
The main intent for SIRIUS CT Log server is to increase redundancy. In the ecosystem, as a CA, we need to have multiple log servers available to log certificates for business continuity. As a Log Operator, in the public interest, we will also open this log server to other CA's for logging non-Symantec issued certificates.
,
Mar 3 2017
Thank you. I just wanted to make sure to maintain documentation about the purpose for this log and ensuring our CT Log Policy properly reflects the best ecosystem practices.
,
Mar 6 2017
@Symantec - that answer seems vague. Can you clarify whether all Symantec logs will be open to other cas? Sounds like juts sirius may be open to other cas.
,
Mar 9 2017
Symantec CT Log server is already open to log certificates from other CA’s and as mentioned earlier we will also be making SIRIUS available to other CA’s. VEGA will continue to accept only certificates that chain up to Symantec roots.
,
Mar 9 2017
So the digicert request is equivalent to Vega. Please send us details on how to add the digicert root to sirius as we've been previously told all Symantec logs are limited to Symantec roots.
,
Mar 10 2017
Please contact DL-ENG-Symantec-Sirius-CT-Log@symantec.com with your request.
,
Apr 18 2017
On Saturday, April 22nd, 2017 from 08:00pm PT to 08:30PM PT, we will perform scheduled maintenance on sirius.ws.symantec.com. During the maintenance window, the log will not be available for any operation. We expect that even with this maintenance window, the log will be well within Chrome's Log uptime policy.
,
Jun 6 2017
,
Jun 6 2017
This log has passed the initial 90 day compliance period and we will start the process to add this to Chrome.
,
Jun 30 2017
I'm not sure why sheriffbot didn't ping this, but it landed in https://chromium.googlesource.com/chromium/src/+/6faeef0f0300547242c025a122479b7e036d3e46 Setting Merge-Request-60 because it's a data-file only merge that will ensure Chrome 60 will support this service, but I know we're close to the cut point.
,
Jun 30 2017
Note for TPMs - this is similar to https://bugs.chromium.org/p/chromium/issues/detail?id=703699#c19
,
Jun 30 2017
This bug requires manual review: Less than 21 days to go before AppStore submit on M60 Please contact the milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), josafat@(ChromeOS), bustamante@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 30 2017
This bug meets the bar for merge to M60. Approving merge. (branch: 3112)
,
Jul 3 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b1d3e2982d26d72f5968ddc09b73c6c192ecfb5c commit b1d3e2982d26d72f5968ddc09b73c6c192ecfb5c Author: Eran Messeri <eranm@google.com> Date: Mon Jul 03 13:25:33 2017 Add to CT log list Digicert2 and Symantec Sirius. Digicert CT2 completed probation on 2017-Jun-04. Symantec Sirius completed probation on 2017-May-30. R=rsleevi@chromium.org BUG= 698094 ,692782 Review-Url: https://codereview.chromium.org/2923193002 Cr-Original-Commit-Position: refs/heads/master@{#481160} Review-Url: https://codereview.chromium.org/2970713002 . Cr-Commit-Position: refs/branch-heads/3112@{#508} Cr-Branched-From: b6460e24cf59f429d69de255538d0fc7a425ccf9-refs/heads/master@{#474897} [modify] https://crrev.com/b1d3e2982d26d72f5968ddc09b73c6c192ecfb5c/net/data/ssl/certificate_transparency/log_list.json
,
Dec 14 2017
Following new trusted roots will be added to Symantec SIRIUS Log Server C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root O=Cybertrust, Inc, CN=Cybertrust Global Root C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G2 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G3 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Federated ID Root CA C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G3 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Private Services Root C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4 C=US, O=GTE Corporation, OU=GTE CyberTrust Solutions, Inc., CN=GTE CyberTrust Global Root C=US, O=Verizon Business, OU=OmniRoot, CN=Verizon Global Root CA
,
Mar 27 2018
DigiCert plans to decommission this log in Sept 2018. What's the process of doing so?
,
Mar 27 2018
Jeremy: the Chromium team can actually answer your question of course; but as a community member one thing I'd like to ask is that you ensure that all the certificates and pre-certs found in this log are mirrored to at least one other community log (possibly Deadalus for those certificates that are expired), that way new ecosystem participants are able to leverage CT's community archival functionality, as existing systems like crt.sh do.
,
Sep 27
All trusted roots will be removed from this CT Log Server on 1-Oct-2018 00:00:00 UTC and the server will be shut down on 13-Oct-2018 00:00:00 UTC. |
||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||
Comment 1 by asanka@chromium.org
, Feb 17 2017