New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 703699 link

Starred by 5 users

Issue metadata

Status: Fixed
Owner:
Last visit 27 days ago
Closed: Jul 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , iOS , Chrome , Mac
Pri: 3
Type: Task



Sign in to add a comment

Certificate Transparency: Inclusion of Comodo's "Mammoth" Log

Reported by robst...@gmail.com, Mar 21 2017

Issue description

Contact Details:
  - Log Operator: Comodo
  - Email: ctops@comodo.com
  - Telephone: +44-1274-730505 (UK)
  - Authorized Personnel: Rob Stradling, Robin Alden, and the Comodo IT Operations Team

HTTPS Endpoint: https://mammoth.ct.comodo.com/

Maximum Merge Delay: 24hrs

Public Key: see attached (mammoth_pubkey.der)

Accepted Roots: see attached (mammoth_roots.pem)

Description:
  - Open acceptance policy: This log accepts all roots that are enabled for the server authentication trust purpose in one or more of the Microsoft, Mozilla and Apple root programs.  We will update this log's list of accepted roots from time to time in accordance with this policy.
  - Free: There is no cost to CAs for having a root accepted by this log.  There is also no cost for submitting certificates/precertificates to this log.  There are no contracts to sign at present, but we reserve the right to require contracts in the future.
  - Rate limits: Submissions are rate-limited by IP address.  Upon request, Comodo will consider raising a submitter's rate limit, but Comodo reserves the right to decline such requests (if Comodo does not believe there is sufficient spare capacity) or to charge for this service in the future.
  - Reasonable Commercial Efforts: Comodo expects to be able to accept submissions for newly issued certificates, but Comodo asks that submitters refrain from submitting (to this log) large numbers of certificates that were not recently issued.  Comodo reserves the right to remove (temporarily or permanently) any root from this log's list of accepted roots, without prior notice, if Comodo is unable to cope with the rate of submissions associated with that root.
  - Disclaimer: Comodo's "Mammoth" log is provided "AS-IS".  The log is an aggregate of information from Comodo and third parties not under Comodo's control and, therefore, Comodo does not guarantee accuracy of information from third party sources or contributors.  Further, Comodo does not guarantee the performance or availability to any end users of the log, whether to certification authorities or other submitters or to any parties or individuals desiring to read the status or the content of the log.  We reserve the right to update this log policy from time to time.
 
mammoth_roots.pem
571 KB Download
mammoth_pubkey.der
91 bytes Download
Cc: rsleevi@chromium.org
Components: Internals>Network>SSL
Cc: eranm@chromium.org
Components: -Internals>Network>SSL Internals>Network>CertTrans
Cc: certific...@googlegroups.com
Labels: -Type-Bug Type-Task
Status: Available (was: Unconfirmed)

Comment 4 by eranm@chromium.org, Mar 21 2017

Cc: robpercival@chromium.org
Owner: eranm@chromium.org

Comment 5 by eranm@chromium.org, Mar 22 2017

Seems to me all of the required information was provided:
- Email alias.
- A phone number.
- A list of person(s) authorized to represent the Log Operator.
- A public HTTP endpoint.
- The Log’s public key in DER format.
- A description of the Log, including applicable policies or requirements
  for logging certificates.
- The Maximum Merge Delay (MMD) of the Log
- All of the Accepted Root Certificates of the Log.

I am working on getting it compliance monitored and will update when that's done.

Comment 6 Deleted

NextAction: 2017-06-20
I can confirm based on the information that this appears to be compliant with Chrome's CT Log Policy. Updating the NextAction to reflect 90 days from the compliance period starting.

Comment 8 by eranm@chromium.org, Mar 22 2017

The log is now being monitored for compliance (started on mid-day UTC, 2017-03-22).

Comment 9 by robst...@gmail.com, May 15 2017

Updating the accepted roots to pull in the latest changes to the Microsoft root program:
Added "Swiss Government Root CA III" (https://crt.sh/?sha256=958ABBAEFF760F4FBF66FF0F2C2708F4739B2C686127239A2C4EC87A68A984C8)

BTW, we're now preparing/tracking changes to our logs' accepted roots here:
https://github.com/Comodo-CA/CTLogs-AcceptedRoots
958ABBAEFF760F4FBF66FF0F2C2708F4739B2C686127239A2C4EC87A68A984C8.crt
2.2 KB Download

Comment 10 by eranm@chromium.org, Jun 19 2017

Owner: hadfieldp@chromium.org
Re-assigning to Paul for follow-up.
The NextAction date has arrived: 2017-06-20
NextAction: ----
This log has passed the initial 90 day compliance period and we will start the process to add this to Chrome.
Owner: robpercival@chromium.org
Status: Started (was: Available)
Project Member

Comment 14 by bugdroid1@chromium.org, Jun 24 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/051c5b971f19b6bf84e2b8b5f2b11359263cef11

commit 051c5b971f19b6bf84e2b8b5f2b11359263cef11
Author: Rob Percival <robpercival@chromium.org>
Date: Sat Jun 24 07:20:01 2017

Add Comodo Sabre and Mammoth CT logs to log_list.json

These Certificate Transparency logs have successfully completed their
initial compliance monitoring.

Bug:  703700 , 703699 
Change-Id: Ie5e451c9bf2c9df2f190e2ac1d760747ffdc099a
Reviewed-on: https://chromium-review.googlesource.com/545955
Commit-Queue: Ryan Sleevi <rsleevi@chromium.org>
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#482145}
[modify] https://crrev.com/051c5b971f19b6bf84e2b8b5f2b11359263cef11/net/data/ssl/certificate_transparency/log_list.json

Labels: M-61
Labels: OS-Chrome OS-Linux OS-Mac OS-Windows
@rsleevi: Are you happy for me to request that this be merged into M-60?
Labels: Merge-Request-60 OS-Android OS-iOS
Yes, that is the agreed upon playbook after landing :)
Project Member

Comment 18 by sheriffbot@chromium.org, Jun 26 2017

Labels: -Merge-Request-60 Hotlist-Merge-Review Merge-Review-60
This bug requires manual review: Less than 25 days to go before AppStore submit on M60
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), josafat@(ChromeOS), bustamante@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
This bug is not an RBS, please can you provide rationale as to why this change is required to be merged to M60? How risky is the change if we merge it?
cmasso: awhalley@ can speak to it, we'd previously worked out with the TPMs a bulk auto-approval, as it's a data-file only change that ensures Chrome 60 will include support for new services coming online, to ensure no service disruption for Chrome users.

It's incredibly low risk / no risk.
Cc: awhalley@chromium.org
Labels: -Merge-Review-60 Merge-Approved-60
approving merge to m60. 

Comment 23 by robst...@gmail.com, Jun 28 2017

Updating the accepted roots to pull in the latest changes to the Microsoft root program:
Added "PosDigicert Class 2 Root CA G2" (https://crt.sh/?sha256=19ABCDFF3A74402FA8F0CA206BF7FAB0DFFFF3AE2BBD719584D21090A4353207)
Added "Application CA G4 Root" (https://crt.sh/?sha256=D1A0319098034E3AEC729A0B5C3111229D9D26E3E623E8C5E6843FA06EE8E2E4)
Added "SI-TRUST Root" (https://crt.sh/?sha256=FAD540811AFAE0DC767CDF6572A088FA3CE8493DD82B3B869A67D10AAB4E8124)

See also https://github.com/Comodo-CA/CTLogs-AcceptedRoots/tree/v1.2
19ABCDFF3A74402FA8F0CA206BF7FAB0DFFFF3AE2BBD719584D21090A4353207.crt
2.0 KB Download
D1A0319098034E3AEC729A0B5C3111229D9D26E3E623E8C5E6843FA06EE8E2E4.crt
1.2 KB Download
FAD540811AFAE0DC767CDF6572A088FA3CE8493DD82B3B869A67D10AAB4E8124.crt
1.6 KB Download
Could someone with commit rights please merge this commit to the M60 branch please?
Rob: You don't need a commit bit to do https://www.chromium.org/developers/how-tos/drover
Er, wait, for Chromium it does. Righto...
Project Member

Comment 27 by sheriffbot@chromium.org, Jul 3 2017

Cc: abdulsyed@chromium.org
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 28 by bugdroid1@chromium.org, Jul 6 2017

Labels: -merge-approved-60 merge-merged-3112
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5181e297dcae9ecd0d884177b198b4961d03d792

commit 5181e297dcae9ecd0d884177b198b4961d03d792
Author: Eran Messeri <eranm@google.com>
Date: Thu Jul 06 11:06:49 2017

Add Comodo Sabre and Mammoth CT logs to log_list.json

These Certificate Transparency logs have successfully completed their
initial compliance monitoring.

TBR=robpercival@chromium.org

(cherry picked from commit 051c5b971f19b6bf84e2b8b5f2b11359263cef11)

Bug:  703700 , 703699 
Change-Id: Ie5e451c9bf2c9df2f190e2ac1d760747ffdc099a
Reviewed-on: https://chromium-review.googlesource.com/545955
Commit-Queue: Ryan Sleevi <rsleevi@chromium.org>
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#482145}
Reviewed-on: https://chromium-review.googlesource.com/561396
Reviewed-by: Eran Messeri <eranm@chromium.org>
Cr-Commit-Position: refs/branch-heads/3112@{#528}
Cr-Branched-From: b6460e24cf59f429d69de255538d0fc7a425ccf9-refs/heads/master@{#474897}
[modify] https://crrev.com/5181e297dcae9ecd0d884177b198b4961d03d792/net/data/ssl/certificate_transparency/log_list.json

Status: Fixed (was: Started)
Updating the accepted roots to pull in the latest changes to the Microsoft, Mozilla and Apple root programs:
Added "D-TRUST Root CA 3 2013" (https://crt.sh/?sha256=A1A86D04121EB87F027C66F53303C28E5739F943FC84B38AD6AF009035DD9457)
Added "GlobalSign Root CA - R6" (https://crt.sh/?sha256=2CABEAFE37D06CA22ABA7391C0033D25982952C453647349763A3AB5AD6CCF69)
Added "GTS Root R1" (https://crt.sh/?sha256=2A575471E31340BC21581CBD2CF13E158463203ECE94BCF9D3CC196BF09A5472)
Added "GTS Root R2" (https://crt.sh/?sha256=C45D7BB08E6D67E62E4235110B564E5F78FD92EF058C840AEA4E6455D7585C60)
Added "GTS Root R3" (https://crt.sh/?sha256=15D5B8774619EA7D54CE1CA6D0B0C403E037A917F131E8A04E1E6B7A71BABCE5)
Added "GTS Root R4" (https://crt.sh/?sha256=71CCA5391F9E794B04802530B363E121DA8A3043BB26662FEA4DCA7FC951A4BD)
Added "Halcom Root Certificate Authority" (https://crt.sh/?sha256=D7BA3F4FF8AD05633451470DDA3378A3491B90005E5C687D2B68D53647CFDD66)
Added "Netrust Root CA 2" (https://crt.sh/?sha256=65353833CF234C79562164F90849C0D104DBABF8EE41064D83E8CBE03BA1C5A5)
Added "SSL.com EV Root Certification Authority RSA R2" (https://crt.sh/?sha256=2E7BF16CC22485A7BBE2AA8696750761B0AE39BE3B2FE9D0CC6D4EF73491425C)
Removed "AddTrust Public CA Root" (https://crt.sh/?sha256=0791CA0749B20782AAD3C7D7BD0CDFC9485835843EB2D7996009CE43AB6C6927)
Removed "AddTrust Qualified CA Root" (https://crt.sh/?sha256=8095210805DB4BBC355E4428D8FD6EC2CDE3AB5FB97A9942988EB8F4DCD06016)
Removed "Secure Certificate Services" (https://crt.sh/?sha256=BD81CE3B4F6591D11A67B5FC7A47FDEF25521BF9AA4E18B9E3DF2E34A7803BE8)
Removed "Sonera Class1 CA" (https://crt.sh/?sha256=CD808284CF746FF2FD6EB58AA1D59C4AD4B3CA56FDC6274A8926A7835F32313D)
Removed "Trusted Certificate Services" (https://crt.sh/?sha256=3F06E55681D496F5BE169EB5389F9F2B8FF61E1708DF6881724849CD5D27CB69)
Removed "UTN-USERFirst-Network Applications" (https://crt.sh/?sha256=C38DCB38959393358691EA4D4F3CE495CE748996E64ED1891D897A0FC4DD55C6)
A1A86D04121EB87F027C66F53303C28E5739F943FC84B38AD6AF009035DD9457.crt
1.4 KB Download
2CABEAFE37D06CA22ABA7391C0033D25982952C453647349763A3AB5AD6CCF69.crt
1.9 KB Download
2A575471E31340BC21581CBD2CF13E158463203ECE94BCF9D3CC196BF09A5472.crt
1.9 KB Download
C45D7BB08E6D67E62E4235110B564E5F78FD92EF058C840AEA4E6455D7585C60.crt
1.9 KB Download
15D5B8774619EA7D54CE1CA6D0B0C403E037A917F131E8A04E1E6B7A71BABCE5.crt
769 bytes Download
71CCA5391F9E794B04802530B363E121DA8A3043BB26662FEA4DCA7FC951A4BD.crt
769 bytes Download
D7BA3F4FF8AD05633451470DDA3378A3491B90005E5C687D2B68D53647CFDD66.crt
1.2 KB Download
65353833CF234C79562164F90849C0D104DBABF8EE41064D83E8CBE03BA1C5A5.crt
2.1 KB Download
2E7BF16CC22485A7BBE2AA8696750761B0AE39BE3B2FE9D0CC6D4EF73491425C.crt
2.1 KB Download

Comment 32 by robst...@gmail.com, Nov 27 2017

"Log Operator: Comodo" was reasonably unambiguous when this bug was filed.  However, given the recent purchase by Francisco Partners of a majority stake in Comodo CA Limited, we would like to clarify that this CT log is being operated by Comodo CA Limited.
Updating the accepted roots to pull in the latest changes to the Microsoft root program:

Added "OISTE WISeKey Global Root GC CA" (https://crt.sh/?sha256=8560F91C3624DABA9570B5FEA0DBE36FF11A8323BE9486854FB3F34A5571198D)
Added "ATHEX Root CA G2" (https://crt.sh/?sha256=C1727F3B673E6AE7F12F23D789A7BE38B918223EF6911C592DA1F583444A547E)
Removed "PSCProcert" (https://crt.sh/?sha256=3CFC3C14D1F684FF17E38C43CA440C00B967EC933E8BFE064CA1D72C90F2ADB0)

See also https://github.com/Comodo-CA/CTLogs-AcceptedRoots/tree/v1.4
8560F91C3624DABA9570B5FEA0DBE36FF11A8323BE9486854FB3F34A5571198D.crt
895 bytes Download
C1727F3B673E6AE7F12F23D789A7BE38B918223EF6911C592DA1F583444A547E.crt
1.8 KB Download

Comment 34 by robst...@gmail.com, Apr 12 2018

Updating the accepted roots to pull in the latest changes to the Microsoft root program:

Added "certSIGN ROOT CA G2" (https://crt.sh/?sha256=657CFE2FA73FAA38462571F332A2363A46FCE7020951710702CDFBB6EEDA3305)

See also https://github.com/Comodo-CA/CTLogs-AcceptedRoots/tree/v1.5
657CFE2FA73FAA38462571F332A2363A46FCE7020951710702CDFBB6EEDA3305.crt
1.9 KB Download
Updating the accepted roots to pull in the latest changes to the Microsoft and Mozilla root programs:

Added "GLOBALTRUST 2015" (https://crt.sh/?sha256=416B1F9E84E74C1D19B23D8D7191C6AD81246E641601F599132729F507BEB3CC)
Added "Microsoft ECC Product Root Certificate Authority 2018" (https://crt.sh/?sha256=CACA93B9D23D2B6FA76E8B8471931E0DF3EC6F63AF3CDBB936C41954A1872326)
Removed "Buypass Class 2 CA 1" (https://crt.sh/?sha256=0F4E9CDD264B025550D170806340214FE94434C9B02F697EC710FC5FEAFB5E38)
Removed "DST ACES CA X6" (https://crt.sh/?sha256=767C955A76412C89AF688E90A1C70F556CFD6B6025DBEA10416D7EB6831F8C40)
Removed "TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. (c) Aralık 2007" (https://crt.sh/?sha256=978CD966F2FAA07BA7AA9500D9C02E9D77F2CDADA6AD6BA74AF4B91C66593C50)

See also https://github.com/Comodo-CA/CTLogs-AcceptedRoots/tree/v1.6
416B1F9E84E74C1D19B23D8D7191C6AD81246E641601F599132729F507BEB3CC.crt
2.1 KB Download
CACA93B9D23D2B6FA76E8B8471931E0DF3EC6F63AF3CDBB936C41954A1872326.crt
1.1 KB Download
Updating the accepted roots to pull in the latest changes to the Microsoft root program:

Added "emSign Root CA - C1" (https://crt.sh/?sha256=125609AA301DA0A249B97A8239CB6A34216F44DCAC9F3954B14292F2E8C8608F)
Added "emSign Root CA - G1" (https://crt.sh/?sha256=40F6AF0346A99AA1CD1D555A4E9CCE62C7F9634603EE406615833DC8C8D00367)
Added "emSign ECC Root CA - G3" (https://crt.sh/?sha256=86A1ECBA089C4A8D3BBE2734C612BA341D813E043CF9E8A862CD5C57A36BBE6B)
Added "emSign ECC Root CA - C3" (https://crt.sh/?sha256=BC4D809B15189D78DB3E1D8CF4F9726A795DA1643CA5F1358E1DDB0EDC0D7EB3)
Added "Entrust Root Certification Authority - G4" (https://crt.sh/?sha256=DB3517D1F6732A2D5AB97C533EC70779EE3270A62FB4AC4238372460E6F01E88)

See also https://github.com/Comodo-CA/CTLogs-AcceptedRoots/tree/v1.7
125609AA301DA0A249B97A8239CB6A34216F44DCAC9F3954B14292F2E8C8608F.crt
1.2 KB Download
40F6AF0346A99AA1CD1D555A4E9CCE62C7F9634603EE406615833DC8C8D00367.crt
1.3 KB Download
86A1ECBA089C4A8D3BBE2734C612BA341D813E043CF9E8A862CD5C57A36BBE6B.crt
859 bytes Download
BC4D809B15189D78DB3E1D8CF4F9726A795DA1643CA5F1358E1DDB0EDC0D7EB3.crt
814 bytes Download
DB3517D1F6732A2D5AB97C533EC70779EE3270A62FB4AC4238372460E6F01E88.crt
2.2 KB Download
Could you let me know what HTTP response code your logs return when rate-limiting please? We've been seeing some HTTP 503 responses recently and are curious as to whether this is due to rate-limiting.
We currently return HTTP 503 when rate-limiting, which is the default nginx behaviour - see https://www.nginx.com/blog/rate-limiting-nginx/.

I've just asked our ops team to add "limit_req_status 429" to our logs' nginx config at the next available opportunity, after which we will then return HTTP 429 when rate-limiting.
Updating the accepted roots to pull in the latest changes to the Microsoft root program:

Added "Hongkong Post Root CA 3" (https://crt.sh/?sha256=5A2FC03F0C83B090BBFA40604B0988446C7636183DF9846E17101A447FB8EFD6)
Added "Fina Root CA" (https://crt.sh/?sha256=5AB4FCDB180B5B6AF0D262A2375A2C77D25602015D96648756611E2E78C53AD3)

See also https://github.com/Comodo-CA/CTLogs-AcceptedRoots/tree/v1.8.1
5A2FC03F0C83B090BBFA40604B0988446C7636183DF9846E17101A447FB8EFD6.crt
2.0 KB Download
5AB4FCDB180B5B6AF0D262A2375A2C77D25602015D96648756611E2E78C53AD3.crt
1.9 KB Download
Further to comment 32, Comodo CA Limited has been renamed to Sectigo Limited.

Sign in to add a comment