Certificate Transparency: Inclusion of Comodo's "Sabre" Log
Reported by
robst...@gmail.com,
Mar 21 2017
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Issue descriptionContact Details: - Log Operator: Comodo - Email: ctops@comodo.com - Telephone: +44-1274-730505 (UK) - Authorized Personnel: Rob Stradling, Robin Alden, and the Comodo IT Operations Team HTTPS Endpoint: https://sabre.ct.comodo.com/ Maximum Merge Delay: 24hrs Public Key: see attached (sabre_pubkey.der) Accepted Roots: see attached (sabre_roots.pem) Description: - Open acceptance policy: This log accepts all roots that are enabled for the server authentication trust purpose in one or more of the Microsoft, Mozilla and Apple root programs. We will update this log's list of accepted roots from time to time in accordance with this policy. - Free: There is no cost to CAs for having a root accepted by this log. There is also no cost for submitting certificates/precertificates to this log. There are no contracts to sign at present, but we reserve the right to require contracts in the future. - Rate limits: Submissions are rate-limited by IP address. Upon request, Comodo will consider raising a submitter's rate limit, but Comodo reserves the right to decline such requests (if Comodo does not believe there is sufficient spare capacity) or to charge for this service in the future. - Reasonable Commercial Efforts: Comodo expects to be able to accept submissions for newly issued certificates, but Comodo asks that submitters refrain from submitting (to this log) large numbers of certificates that were not recently issued. Comodo reserves the right to remove (temporarily or permanently) any root from this log's list of accepted roots, without prior notice, if Comodo is unable to cope with the rate of submissions associated with that root. - Disclaimer: Comodo's "Sabre" log is provided "AS-IS". The log is an aggregate of information from Comodo and third parties not under Comodo's control and, therefore, Comodo does not guarantee accuracy of information from third party sources or contributors. Further, Comodo does not guarantee the performance or availability to any end users of the log, whether to certification authorities or other submitters or to any parties or individuals desiring to read the status or the content of the log. We reserve the right to update this log policy from time to time.
,
Mar 21 2017
,
Mar 21 2017
,
Mar 21 2017
,
Mar 22 2017
Seems to me all of the required information was provided: - Email alias. - A phone number. - A list of person(s) authorized to represent the Log Operator. - A public HTTP endpoint. - The Log’s public key in DER format. - A description of the Log, including applicable policies or requirements for logging certificates. - The Maximum Merge Delay (MMD) of the Log - All of the Accepted Root Certificates of the Log. I am working on getting it compliance monitored and will update when that's done.
,
Mar 22 2017
I can confirm based on the information that this appears to be compliant with Chrome's CT Log Policy. Updating the NextAction to reflect 90 days from the compliance period starting.
,
Mar 22 2017
The log is now being monitored for compliance (started on mid-day UTC, 2017-03-22).
,
May 15 2017
Updating the accepted roots to pull in the latest changes to the Microsoft root program: Added "Swiss Government Root CA III" (https://crt.sh/?sha256=958ABBAEFF760F4FBF66FF0F2C2708F4739B2C686127239A2C4EC87A68A984C8) BTW, we're now preparing/tracking changes to our logs' accepted roots here: https://github.com/Comodo-CA/CTLogs-AcceptedRoots
,
Jun 19 2017
Re-assigning to Paul for follow-up.
,
Jun 20 2017
The NextAction date has arrived: 2017-06-20
,
Jun 22 2017
This log has passed the initial 90 day compliance period and we will start the process to add this to Chrome.
,
Jun 22 2017
,
Jun 24 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/051c5b971f19b6bf84e2b8b5f2b11359263cef11 commit 051c5b971f19b6bf84e2b8b5f2b11359263cef11 Author: Rob Percival <robpercival@chromium.org> Date: Sat Jun 24 07:20:01 2017 Add Comodo Sabre and Mammoth CT logs to log_list.json These Certificate Transparency logs have successfully completed their initial compliance monitoring. Bug: 703700 , 703699 Change-Id: Ie5e451c9bf2c9df2f190e2ac1d760747ffdc099a Reviewed-on: https://chromium-review.googlesource.com/545955 Commit-Queue: Ryan Sleevi <rsleevi@chromium.org> Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Cr-Commit-Position: refs/heads/master@{#482145} [modify] https://crrev.com/051c5b971f19b6bf84e2b8b5f2b11359263cef11/net/data/ssl/certificate_transparency/log_list.json
,
Jun 24 2017
,
Jun 26 2017
@rsleevi: Are you happy for me to request that this be merged into M-60?
,
Jun 26 2017
Yes, that is the agreed upon playbook after landing :)
,
Jun 26 2017
This bug requires manual review: Less than 25 days to go before AppStore submit on M60 Please contact the milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), josafat@(ChromeOS), bustamante@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 26 2017
This bug is not an RBS, please can you provide rationale as to why this change is required to be merged to M60? How risky is the change if we merge it?
,
Jun 26 2017
cmasso: awhalley@ can speak to it, we'd previously worked out with the TPMs a bulk auto-approval, as it's a data-file only change that ensures Chrome 60 will include support for new services coming online, to ensure no service disruption for Chrome users. It's incredibly low risk / no risk.
,
Jun 27 2017
I'm happy with this change going to M60. The change is low risk, and reduces the bigger ecosystem risk of a long wait between approval and shipping in stable. Might be easier to tag these as Release Block Stable in the future.
,
Jun 27 2017
Approving merge to M60 based on comment 21.
,
Jun 28 2017
Updating the accepted roots to pull in the latest changes to the Microsoft root program: Added "PosDigicert Class 2 Root CA G2" (https://crt.sh/?sha256=19ABCDFF3A74402FA8F0CA206BF7FAB0DFFFF3AE2BBD719584D21090A4353207) Added "Application CA G4 Root" (https://crt.sh/?sha256=D1A0319098034E3AEC729A0B5C3111229D9D26E3E623E8C5E6843FA06EE8E2E4) Added "SI-TRUST Root" (https://crt.sh/?sha256=FAD540811AFAE0DC767CDF6572A088FA3CE8493DD82B3B869A67D10AAB4E8124) See also https://github.com/Comodo-CA/CTLogs-AcceptedRoots/tree/v1.2
,
Jul 3 2017
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/5181e297dcae9ecd0d884177b198b4961d03d792 commit 5181e297dcae9ecd0d884177b198b4961d03d792 Author: Eran Messeri <eranm@google.com> Date: Thu Jul 06 11:06:49 2017 Add Comodo Sabre and Mammoth CT logs to log_list.json These Certificate Transparency logs have successfully completed their initial compliance monitoring. TBR=robpercival@chromium.org (cherry picked from commit 051c5b971f19b6bf84e2b8b5f2b11359263cef11) Bug: 703700 , 703699 Change-Id: Ie5e451c9bf2c9df2f190e2ac1d760747ffdc099a Reviewed-on: https://chromium-review.googlesource.com/545955 Commit-Queue: Ryan Sleevi <rsleevi@chromium.org> Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#482145} Reviewed-on: https://chromium-review.googlesource.com/561396 Reviewed-by: Eran Messeri <eranm@chromium.org> Cr-Commit-Position: refs/branch-heads/3112@{#528} Cr-Branched-From: b6460e24cf59f429d69de255538d0fc7a425ccf9-refs/heads/master@{#474897} [modify] https://crrev.com/5181e297dcae9ecd0d884177b198b4961d03d792/net/data/ssl/certificate_transparency/log_list.json
,
Jul 6 2017
,
Oct 2 2017
Updating the accepted roots to pull in the latest changes to the Microsoft, Mozilla and Apple root programs: Added "D-TRUST Root CA 3 2013" (https://crt.sh/?sha256=A1A86D04121EB87F027C66F53303C28E5739F943FC84B38AD6AF009035DD9457) Added "GlobalSign Root CA - R6" (https://crt.sh/?sha256=2CABEAFE37D06CA22ABA7391C0033D25982952C453647349763A3AB5AD6CCF69) Added "GTS Root R1" (https://crt.sh/?sha256=2A575471E31340BC21581CBD2CF13E158463203ECE94BCF9D3CC196BF09A5472) Added "GTS Root R2" (https://crt.sh/?sha256=C45D7BB08E6D67E62E4235110B564E5F78FD92EF058C840AEA4E6455D7585C60) Added "GTS Root R3" (https://crt.sh/?sha256=15D5B8774619EA7D54CE1CA6D0B0C403E037A917F131E8A04E1E6B7A71BABCE5) Added "GTS Root R4" (https://crt.sh/?sha256=71CCA5391F9E794B04802530B363E121DA8A3043BB26662FEA4DCA7FC951A4BD) Added "Halcom Root Certificate Authority" (https://crt.sh/?sha256=D7BA3F4FF8AD05633451470DDA3378A3491B90005E5C687D2B68D53647CFDD66) Added "Netrust Root CA 2" (https://crt.sh/?sha256=65353833CF234C79562164F90849C0D104DBABF8EE41064D83E8CBE03BA1C5A5) Added "SSL.com EV Root Certification Authority RSA R2" (https://crt.sh/?sha256=2E7BF16CC22485A7BBE2AA8696750761B0AE39BE3B2FE9D0CC6D4EF73491425C) Removed "AddTrust Public CA Root" (https://crt.sh/?sha256=0791CA0749B20782AAD3C7D7BD0CDFC9485835843EB2D7996009CE43AB6C6927) Removed "AddTrust Qualified CA Root" (https://crt.sh/?sha256=8095210805DB4BBC355E4428D8FD6EC2CDE3AB5FB97A9942988EB8F4DCD06016) Removed "Secure Certificate Services" (https://crt.sh/?sha256=BD81CE3B4F6591D11A67B5FC7A47FDEF25521BF9AA4E18B9E3DF2E34A7803BE8) Removed "Sonera Class1 CA" (https://crt.sh/?sha256=CD808284CF746FF2FD6EB58AA1D59C4AD4B3CA56FDC6274A8926A7835F32313D) Removed "Trusted Certificate Services" (https://crt.sh/?sha256=3F06E55681D496F5BE169EB5389F9F2B8FF61E1708DF6881724849CD5D27CB69) Removed "UTN-USERFirst-Network Applications" (https://crt.sh/?sha256=C38DCB38959393358691EA4D4F3CE495CE748996E64ED1891D897A0FC4DD55C6)
,
Oct 2 2017
,
Nov 27 2017
"Log Operator: Comodo" was reasonably unambiguous when this bug was filed. However, given the recent purchase by Francisco Partners of a majority stake in Comodo CA Limited, we would like to clarify that this CT log is being operated by Comodo CA Limited.
,
Dec 1 2017
Updating the accepted roots to pull in the latest changes to the Microsoft root program: Added "OISTE WISeKey Global Root GC CA" (https://crt.sh/?sha256=8560F91C3624DABA9570B5FEA0DBE36FF11A8323BE9486854FB3F34A5571198D) Added "ATHEX Root CA G2" (https://crt.sh/?sha256=C1727F3B673E6AE7F12F23D789A7BE38B918223EF6911C592DA1F583444A547E) Removed "PSCProcert" (https://crt.sh/?sha256=3CFC3C14D1F684FF17E38C43CA440C00B967EC933E8BFE064CA1D72C90F2ADB0) See also https://github.com/Comodo-CA/CTLogs-AcceptedRoots/tree/v1.4
,
Apr 12 2018
Updating the accepted roots to pull in the latest changes to the Microsoft root program: Added "certSIGN ROOT CA G2" (https://crt.sh/?sha256=657CFE2FA73FAA38462571F332A2363A46FCE7020951710702CDFBB6EEDA3305) See also https://github.com/Comodo-CA/CTLogs-AcceptedRoots/tree/v1.5
,
Aug 17
Updating the accepted roots to pull in the latest changes to the Microsoft and Mozilla root programs: Added "GLOBALTRUST 2015" (https://crt.sh/?sha256=416B1F9E84E74C1D19B23D8D7191C6AD81246E641601F599132729F507BEB3CC) Added "Microsoft ECC Product Root Certificate Authority 2018" (https://crt.sh/?sha256=CACA93B9D23D2B6FA76E8B8471931E0DF3EC6F63AF3CDBB936C41954A1872326) Removed "Buypass Class 2 CA 1" (https://crt.sh/?sha256=0F4E9CDD264B025550D170806340214FE94434C9B02F697EC710FC5FEAFB5E38) Removed "DST ACES CA X6" (https://crt.sh/?sha256=767C955A76412C89AF688E90A1C70F556CFD6B6025DBEA10416D7EB6831F8C40) Removed "TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. (c) Aralık 2007" (https://crt.sh/?sha256=978CD966F2FAA07BA7AA9500D9C02E9D77F2CDADA6AD6BA74AF4B91C66593C50) See also https://github.com/Comodo-CA/CTLogs-AcceptedRoots/tree/v1.6
,
Sep 4
Updating the accepted roots to pull in the latest changes to the Microsoft root program: Added "emSign Root CA - C1" (https://crt.sh/?sha256=125609AA301DA0A249B97A8239CB6A34216F44DCAC9F3954B14292F2E8C8608F) Added "emSign Root CA - G1" (https://crt.sh/?sha256=40F6AF0346A99AA1CD1D555A4E9CCE62C7F9634603EE406615833DC8C8D00367) Added "emSign ECC Root CA - G3" (https://crt.sh/?sha256=86A1ECBA089C4A8D3BBE2734C612BA341D813E043CF9E8A862CD5C57A36BBE6B) Added "emSign ECC Root CA - C3" (https://crt.sh/?sha256=BC4D809B15189D78DB3E1D8CF4F9726A795DA1643CA5F1358E1DDB0EDC0D7EB3) Added "Entrust Root Certification Authority - G4" (https://crt.sh/?sha256=DB3517D1F6732A2D5AB97C533EC70779EE3270A62FB4AC4238372460E6F01E88) See also https://github.com/Comodo-CA/CTLogs-AcceptedRoots/tree/v1.7
,
Oct 8
Updating the accepted roots to pull in the latest changes to the Microsoft root program: Added "Hongkong Post Root CA 3" (https://crt.sh/?sha256=5A2FC03F0C83B090BBFA40604B0988446C7636183DF9846E17101A447FB8EFD6) Added "Fina Root CA" (https://crt.sh/?sha256=5AB4FCDB180B5B6AF0D262A2375A2C77D25602015D96648756611E2E78C53AD3) See also https://github.com/Comodo-CA/CTLogs-AcceptedRoots/tree/v1.8.1
,
Nov 2
Further to comment 29, Comodo CA Limited has been renamed to Sectigo Limited.
,
Dec 20
New Contact Details: - Log Operator: Sectigo - Email: ctops@sectigo.com - Telephone: +44-1274-730505 (UK) - Authorized Personnel: Rob Stradling, Robin Alden, and the Sectigo IT Operations Team
,
Dec 20
Updating the accepted roots to pull in the latest changes to the Microsoft root program: Added "Microsoft ECC Root Certificate Authority 2017" (https://crt.sh/?sha256=FEA1884AB3AEA6D0DBEDBE4B9CD9FEC8655116300A86A856488FC488BB4B44D2) Added "Microsoft ECC TS Root Certificate Authority 2018" (https://crt.sh/?sha256=3FD4BE8BAAD2F26E1BDE06C7584BB720DD1A972D111F5A4999BC44B08FB4960D) Added "Microsoft EV ECC Root Certificate Authority 2017" (https://crt.sh/?sha256=6AEA30BC02CA85AFCFEC2F65F60881893C926925FD0704BD8ADA3F0F6EDDB699) Added "Microsoft EV RSA Root Certificate Authority 2017" (https://crt.sh/?sha256=DFB3C314740596AD5FB97960EF62AD7C1FCCEEAD16E74054652D1032E6F140EF) Added "Microsoft RSA Root Certificate Authority 2017" (https://crt.sh/?sha256=ECDD47B5ACBFA328211E1BFF54ADEAC95E6991E3C1D50E27B527E903208040A1) Added "PostSignum Root QCA 4" (https://crt.sh/?sha256=AC7F7862E685C7A7D9826A58EA32D183D4893FCC8F8FD6D900C9769A987E77F0) Removed "Symantec Class 1 Public Primary Certification Authority - G4" (https://crt.sh/?sha256=363F3C849EAB03B0A2A0F636D7B86D04D3AC7FCFE26A0A9121AB9795F6E176DF) Removed "Symantec Class 2 Public Primary Certification Authority - G4" (https://crt.sh/?sha256=FE863D0822FE7A2353FA484D5924E875656D3DC9FB58771F6F616F9D571BC592) See also https://github.com/sectigo/CTLogs-AcceptedRoots/tree/v1.9
,
Dec 20
Hi Rob, This is not a blocking issue, but could you speak more about the removal of the Symantec certs. Was it a request from them, internal factors, etc? The others I all recognize, the removal was wanting to understand.
,
Dec 20
Hi Ryan. Simply this: " - Open acceptance policy: This log accepts all roots that are enabled for the server authentication trust purpose in one or more of the Microsoft, Mozilla and Apple root programs. We will update this log's list of accepted roots from time to time in accordance with this policy." Those Symantec roots are no longer trusted for server auth in any of those root programs. It wasn't a request from them. (FWIW, our Dodo log continues to accept these roots). |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Comment 1 by dtapu...@chromium.org
, Mar 21 2017Components: Internals>Network>SSL