Certificate Transparency - WoSign CT log server 2 inclusion request
Reported by
liangdong46@gmail.com,
May 3 2017
|
|||||||||||
Issue description1.Contact Information: - email: ctlog@wosign.com; - phone number: +86-755-8600 8688 - Log Operator: Dong Liang, Jeff Tang 2.Log Server URL: https://ctlog2.wosign.com 3.Server public key: Attached file: wosign_ctlog2_key_public.pem -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEpYzoNS6O5Wp1rVxLMWEpnTBXjgIT X+nKu1KoQwVgvw1zV3eyBdhn9vAzyflE3rZTc6oMVcKDCkvOXhrHFx2zzQ== -----END PUBLIC KEY----- 4.Description and policy: This log server(https://ctlog2.wosign.com) is the second log server operate by WoSign that hosted in USA IDC, we provide free CT log service for all Trusted CA. If any CA want to add their root certificates to this ct log server, please send email to us to tell us the number of certificates that the CA expects to submit to our log server each month, the quantity of total issued certificates, the root CA certificates and the posting start date, then we will add the roots to our CT log server within 3 work days for FREE. But we reserve the right to reject a root inclusion request and remove root certificates from our trusted root lists for any reason. 5.MMD: 24 hours 6.Accepted Roots: Attached file: wosign_ctlog2_trusted_roots.pem
,
May 8 2017
luk:
thanks for your reminder, we have fixed the problem.
,
May 8 2017
Getting it in the right queue, although I have not reviewed the application yet.
,
May 8 2017
,
May 8 2017
,
May 17 2017
,
Jul 7 2017
The ability to remove, for any reason, raises some concerns with respect to operating in the public interest. This creates substantial uncertainty as to whether or not the WoSign log may represent a reliable log for being used. Have you considered adopting a policy similar to other logs, such as in Issue 703699 ? Our desire is to see that each added log provides substantial value to the community, through its demonstration of being operated in the public interest. We think it's a positive improvement to see more logs offering free inclusion, but are wanting to understand more the reasons for requiring contacting and the risk of removal. An alternative policy that may better demonstrate this public interest is: - Including the set of roots trusted for server authentication within the respective community root programs (relevant for Chrome, this includes that of Microsoft, Mozilla, Apple, and Google [ChromeOS and Android]) in the initial set - Rate limiting, either by IP address or by overall CA (or intermediate), with descriptions of those limits - Clearer policies around removal, such as anticipated reasons, durations of removal, etc
,
Jul 7 2017
,
Jul 10 2017
Policy Update: - Open acceptance policy: This log accepts all roots that are enabled for the server authentication trust purpose in one or more of the Microsoft, Mozilla and Apple root programs. We will update this log's list of accepted roots from time to time in accordance with this policy. - Free: There is no cost to CAs for having a root accepted by this log. There is also no cost for submitting certificates/precertificates to this log. There are no contracts to sign at present, but we reserve the right to require contracts in the future. - Rate limits: Submissions are rate-limited by IP address. Upon request, WoSign will consider raising a submitter's rate limit, but WoSign reserves the right to decline such requests (if WoSign does not believe there is sufficient spare capacity) or to charge for this service in the future. - Reasonable Commercial Efforts: WoSign expects to be able to accept submissions for newly issued certificates, but WoSign asks that submitters refrain from submitting (to this log) large numbers of certificates that were not recently issued. WoSign reserves the right to remove (temporarily or permanently) any root from this log's list of accepted roots, without prior notice, if WoSign is unable to cope with the rate of submissions associated with that root. - Disclaimer: WoSign's CT Log is provided "AS-IS". The log is an aggregate of information from WoSign and third parties not under WoSign's control and, therefore, WoSign does not guarantee accuracy of information from third party sources or contributors. Further, WoSign does not guarantee the performance or availability to any end users of the log, whether to certification authorities or other submitters or to any parties or individuals desiring to read the status or the content of the log. We reserve the right to update this log policy from time to time.
,
Jul 10 2017
Thanks. Assigning to begin monitoring for inclusion.
,
Jul 10 2017
Thank you for your request, we will start monitoring your log server tomorrow. Should no issues be detected, the initial compliance monitoring phase will be complete on 9th October 2017 and we will update this bug shortly after that date to confirm.
,
Aug 30 2017
Due to our company had changed company English name to “WoTrus CA Limited”(https://www.wosign.com/english/News/English_name_change_to_WoTrus_2017.htm), so we plan to stop this CT Log server(ctlog2.wosign.com) and re-apply a new one: ctlog.wotrus.com. Could you stop monitor this log and we should reapply with an new domain name.
,
Sep 4 2017
Please note that we will stop this log in SEP 07, 2017.
,
Sep 4 2017
Noted, I'll terminate the compliance monitoring.
,
Sep 4 2017
Please ensure you notify ct-policy@chromium.org about this change. As this change does not seem to be for technical reasons, I think it will raise questions as to whether future WoTrus logs will be operating in the public interest and acceptable for inclusion.
,
Sep 7 2017
The NextAction date has arrived: 2017-09-07
,
Oct 16 2017
|
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by lukegb@lukegb.com
, May 5 2017Hmm, this log seems to periodically return spurious 400s with the message { "error_message": "unknown root", "success": false } to the add-chain endpoint, but resubmitting (sometimes) works fine. If the log is load balanced, are the set of trusted roots the same on all backends?