Certificate Transparency - Google "argon2018" Log Server Inclusion Request |
|||||||||||||||||||
Issue descriptionContact Information: - email: google-ct-logs@googlegroups.com - phone number: +442070313000 (Google UK) - Log Operator: Al Cutter, Pierre Phaneuf, Paul Hadfield, Martin Smith, Rob Percival, Kat Joyce, David Drysdale, Alan Parra Log Server URL: https://ct.googleapis.com/logs/argon2018 Log ID: pFASaQVaFVReYhGrN7wQP2KuVXakXksXFEU+GyIQaiU= Certificate Expiry Range: Jan 01 2018 00:00:00Z inclusive to Jan 01 2019 00:00:00Z exclusive Server public key: attached in PEM file google-argon2018-public-key.pem. Description: Google's newest public CT Log, operating since 2017-August-10. This Log is implemented and operated by Google. This Log accepts all certificates that are anchored in a root trusted by one of the major browser vendors including Apple, Microsoft and Mozilla. This Log accepts certificates expiring within the date range as listed above. We will freeze the Log once its inclusion expiry window has passed and close it for new submissions as of Jan 01 2019 00:00:00Z. We will then request that trust be withdrawn from this log by Chromium as all the certificates it contains will have expired and will therefore be no longer valid. The combination of the certificate expiry ranges of the new Google Argon Logs will allow any certificate that chains to a trusted root and has a lifetime of 39 months or less to be logged to one of the new Argon Logs, if it is issued within the next year. Further Argon Logs will be turned up in the future in order to maintain the window for accepted certificates. This Log is public and provides open access. There are no fees for submitting certificates or any other usage including queries and mirroring. No prior contracts or agreements are required before the Log may be used. Submissions are rate limited by IP address. Queries are rate limited by IP address. Rate limited requests will be denied with an HTTP error status code. We intend to provide serving capacity to support any reasonable usage level but additional automatic mechanisms exist that will operate to protect our infrastructure in emergency situations. The purpose of our new Logs is an attempt to move towards a more managed and predictable lifecycle for CT Logs and thereby reduce operational overhead for both submitters and log operators. We have no current plan or schedule to discontinue serving these Logs, but may revisit this as operational policies within the ecosystem evolve. MMD: 24 hours Accepted roots: Attached file: google-argon2018-roots-20170818.pem Implementation Note: This Log is one of the first that are based on our new Golang implementation of Certificate Transparency. The open source version of this code can be found at: https://github.com/google/trillian and https://github.com/google/certificate-transparency-go and it is made available under an Apache 2.0 license.
,
Aug 22 2017
Note: The current policy requires that "The Log's public key, attached as a binary file containing the DER encoding of the SubjectPublicKeyInfo ASN.1 structure". These were attached as PEM files :) With that exception, I believe this meets all the criteria for inclusion. Assigning to Rob for monitoring.
,
Aug 23 2017
The Argon2018 log public key in DER format. Martin
,
Aug 23 2017
The Argon2018 log public key in DER format. Martin
,
Aug 23 2017
Thank you for your request, we have started monitoring your log server. Should no issues be detected, the initial compliance monitoring phase will be complete on 21st November 2017 and we will update this bug shortly after that date to confirm.
,
Sep 4 2017
,
Nov 14 2017
The following root certificates should be accepted by this log within the next few days. This brings us up-to-date with the latest roots trusted by Apple, Microsoft and Mozilla. https://bugs.chromium.org/p/chromium/issues/attachment?aid=312118
,
Nov 14 2017
In addition to the above certificates, the following certificates will also be accepted: https://bugs.chromium.org/p/chromium/issues/attachment?aid=312144
,
Nov 21 2017
For the last several hours, this log has been returning a 500 internal server error with the message "backend GetLeavesByIndex request failed: RPC::DEADLINE_EXCEEDED: context deadline exceeded" in response to valid get-entries requests, just like Argon 2017 was doing last month (https://bugs.chromium.org/p/chromium/issues/detail?id=756813).
,
Nov 21 2017
Thanks for your report, we're looking into it. Have you been seeing this error consistently or intermittently?
,
Nov 21 2017
The NextAction date has arrived: 2017-11-21
,
Nov 23 2017
We have reduced the maximum number of entries returned by /ct/v1/get-entries to 100. This is to mitigate a performance issue that has been causing a small number of these requests to fail (less than 1%). We are investigating the underlying cause and intend to publish a postmortem on https://groups.google.com/a/chromium.org/forum/#!forum/ct-policy once that is complete.
,
Dec 1 2017
We've posted a post mortem on the latency issue here: https://groups.google.com/a/chromium.org/forum/#!topic/ct-policy/c1rU2kpHkJk Many thanks to awga for the observations.
,
Feb 27 2018
Devon, please advise once this log can be added to Chrome.
,
Feb 27 2018
This log has passed the initial 90 day compliance period and we will start the process to add this to Chrome.
,
Mar 1 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/79966f2ee55749a3d9494f8beb1bcd9a5dcca373 commit 79966f2ee55749a3d9494f8beb1bcd9a5dcca373 Author: Devon O'Brien <asymmetric@chromium.org> Date: Thu Mar 01 19:33:09 2018 Add Nimbus and Argon to Trusted CT Logs The following CT Logs have passed their monitoring period and are being added as trusted Logs in Chrome: Google Argon2018, Argon2019, Argon2020, Argon2021 Cloudflare Nimbus2018, Nimbus2019, Nimbus2020, Nimbus2021 Bug: 756814 , 756817 , 756818 , 756819 , 780654 , 780655 , 780656 , 780657 Change-Id: I6b8671db0dc7ba34b666345049934ed3e2b5705a Reviewed-on: https://chromium-review.googlesource.com/942688 Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Commit-Queue: Ryan Sleevi <rsleevi@chromium.org> Cr-Commit-Position: refs/heads/master@{#540254} [modify] https://crrev.com/79966f2ee55749a3d9494f8beb1bcd9a5dcca373/net/data/ssl/certificate_transparency/log_list.json
,
Mar 1 2018
,
Mar 1 2018
This bug requires manual review: We are only 4 days from stable. Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 1 2018
+awhalley@ for M65 merge review. +cmasso@ as FYI.
,
Mar 1 2018
,
Mar 2 2018
sleevi@ verified changes working correctly. awhalley@ double checked for CT regressions. govind@ - good for 65
,
Mar 2 2018
Approving merge for M65 branch 3325 based on comment #22 for issues listed at #21. Please merge ASAP. Thank you.
,
Mar 2 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a293012d1d566826faba24c33e52343453fcedbd commit a293012d1d566826faba24c33e52343453fcedbd Author: Ryan Sleevi <rsleevi@chromium.org> Date: Fri Mar 02 18:06:44 2018 Add Nimbus and Argon to Trusted CT Logs The following CT Logs have passed their monitoring period and are being added as trusted Logs in Chrome: Google Argon2018, Argon2019, Argon2020, Argon2021 Cloudflare Nimbus2018, Nimbus2019, Nimbus2020, Nimbus2021 TBR=asymmetric@chromium.org (cherry picked from commit 79966f2ee55749a3d9494f8beb1bcd9a5dcca373) Bug: 756814 , 756817 , 756818 , 756819 , 780654 , 780655 , 780656 , 780657 Change-Id: I6b8671db0dc7ba34b666345049934ed3e2b5705a Reviewed-on: https://chromium-review.googlesource.com/942688 Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Commit-Queue: Ryan Sleevi <rsleevi@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#540254} Reviewed-on: https://chromium-review.googlesource.com/946568 Cr-Commit-Position: refs/branch-heads/3325@{#647} Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369} [modify] https://crrev.com/a293012d1d566826faba24c33e52343453fcedbd/net/data/ssl/certificate_transparency/log_list.json
,
Apr 2 2018
,
Apr 16 2018
The attached root certificates should be accepted by this log within the next few days. This brings us up-to-date with the latest roots trusted by Apple, Microsoft and Mozilla.
|
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by robpercival@chromium.org
, Aug 18 2017Labels: allpublic