New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 704033 link

Starred by 0 users
Status: WontFix
Owner:
eranm@chromium.org
Closed: Apr 2017
Cc:
eranm@chromium.org
certific...@googlegroups.com
rsleevi@chromium.org
robpercival@chromium.org
asymmetric@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

CT Log Service application from SHECA

Reported by xiongyua...@sheca.com, Mar 22 2017 
Hi, I am writing this on behalf of SHECA to apply for inclusion for the CT log server in  Chromium.
Shanghai Electronic Certification Authority Co., Ltd. (‘SHECA’ thereafter) is a Shanghai-based commercial company and is one of the biggest Certification Authorities in China. SHECA is also an international recognized CA as a member of CA/Browser Forum and performs WebTrust audit annually by PWC since 2008.

The information for the application is as below.

1.Contact Information for the Log Operator, including:
o	An email or e-mail alias that is continuously monitored by the Log Operator
o	A phone number
o	A list of person(s) authorized to represent the Log Operator
Email:CTLS@sheca.com
Telephone+86 21 36393100 
Mobile phone:+86 13501776822(Cui Jiuqiang/崔久强) 
Person authorized to represent SHECA: Cui Jiuqiang(崔久强)
2. A public HTTP endpoint that responds to all Log Client Messages indicated in RFC 6962, Section 4
URL: http://ctlog.sheca.com/ct/v1/get-sth   
3. The Log’s public key, attached as binary file containing the DER encoding of the SubjectPublicKeyInfo ASN.1 structure
Please see attachment.
4. A description of the Log, including applicable policies or requirements for logging certificates.
The CT Log Server is implemented and operated by SHECA. Any person or organization is able to submit a certificate to a log on the server after being tested and approved by SHECA. Besides, SHECA also submits certificate to log on the CT Server of GDCA. SHECA conforms to the clarifications in CP/CPS published on the website of SHECA(http://www.sheca.com/policy), which includes conformance to the latest version of Guidelines and Baseline Requirment on CA/Browser Forum and the related laws and regulations published by Government and Official Departments in charge. 

5. The Maximum Merge Delay (MMD) of the Log
24h.
6. All of the Accepted Root Certificates of the Log 
Google:
Merge Delay Monitor Root
SHECA:
UCA Global G2 Root, UCA Extended Validation Root
GDCA:
GDCA TrustAUTH R5 ROOT
ec_public_key.pem
178 bytes Download

Comment 1 by eranm@chromium.org, Mar 22 2017

Cc: certific...@googlegroups.com eranm@chromium.org rsleevi@chromium.org robpercival@chromium.org
Components: Internals>Network>CertTrans
Owner: eranm@chromium.org
Status: Available (was: Unconfirmed)

Comment 2 by eranm@chromium.org, Mar 22 2017 

Thank you for your application.

I note that the endpoint you have provided, http://ctlog.sheca.com, does not support HTTPS:
curl: (7) Failed to connect to ctlog.sheca.com port 443: Connection refused

Please configure your log server to accept requests over HTTPS.

Comment 3 by grahamed...@gmail.com, Mar 22 2017 

It's also currently returning an STH with a timestamp approximately 8 hours in the future.

e.g. at 2017-03-22 11:23:49 UTC my monitor received an STH with a timestamp of 2017-03-22 18:27:08 UTC.

Comment 4 by eranm@chromium.org, Mar 22 2017 

To be clear, given the STHs produced with a timestamp in the future, you'll have to apply for a new log inclusion request after doing the following:
- Setting up HTTPS endpoint for accessing the log.
- Setting up a new log: A new key, empty log, and please choose a different URL for the new log.

Comment 5 by pphaneuf@google.com, Apr 21 2017

Status: WontFix (was: Available)
This issue is obsoleted by  issue 712069 .

Sign in to add a comment