Certificate Transparency - Google "argon2020" Log Server Inclusion Request |
||||||||||||||||||
Issue descriptionContact Information: - email: google-ct-logs@googlegroups.com - phone number: +442070313000 (Google UK) - Log Operator: Al Cutter, Pierre Phaneuf, Paul Hadfield, Martin Smith, Rob Percival, Kat Joyce, David Drysdale, Alan Parra Log Server URL: https://ct.googleapis.com/logs/argon2020 Log ID: sh4FzIuizYogTodm+Su5iiUgZ2va+nDnsklTLe+LkF4= Certificate Expiry Range: Jan 01 2020 00:00:00Z inclusive to Jan 01 2021 00:00:00Z exclusive Server public key: attached in PEM file google-argon2020-public-key.pem. Description: Google's newest public CT Log, operating since 2017-August-10. This Log is implemented and operated by Google. This Log accepts all certificates that are anchored in a root trusted by one of the major browser vendors including Apple, Microsoft and Mozilla. This Log accepts certificates expiring within the date range as listed above. We will freeze the Log once its inclusion expiry window has passed and close it for new submissions as of Jan 01 2021 00:00:00Z. We will then request that trust be withdrawn from this log by Chromium as all the certificates it contains will have expired and will therefore be no longer valid. The combination of the certificate expiry ranges of the new Google Argon Logs will allow any certificate that chains to a trusted root and has a lifetime of 39 months or less to be logged to one of the new Argon Logs, if it is issued within the next year. Further Argon Logs will be turned up in the future in order to maintain the window for accepted certificates. This Log is public and provides open access. There are no fees for submitting certificates or any other usage including queries and mirroring. No prior contracts or agreements are required before the Log may be used. Submissions are rate limited by IP address. Queries are rate limited by IP address. Rate limited requests will be denied with an HTTP error status code. We intend to provide serving capacity to support any reasonable usage level but additional automatic mechanisms exist that will operate to protect our infrastructure in emergency situations. The purpose of our new Logs is an attempt to move towards a more managed and predictable lifecycle for CT Logs and thereby reduce operational overhead for both submitters and log operators. We have no current plan or schedule to discontinue serving these Logs, but may revisit this as operational policies within the ecosystem evolve. MMD: 24 hours Accepted roots: Attached file: google-argon2020-roots-20170818.pem Implementation Note: This Log is one of the first that are based on our new Golang implementation of Certificate Transparency. The open source version of this code can be found at: https://github.com/google/trillian and https://github.com/google/certificate-transparency-go and it is made available under an Apache 2.0 license.
,
Aug 22 2017
Note: The current policy requires that "The Log's public key, attached as a binary file containing the DER encoding of the SubjectPublicKeyInfo ASN.1 structure". These were attached as PEM files :) With that exception, I believe this meets all the criteria for inclusion. Assigning to Rob for monitoring.
,
Aug 22 2017
It looks like that particular part of the policy has been widely ignored by most inclusion requests, in favour of attaching the PEM encoding instead. I'll propose a change to the policy to request PEM encoded public keys instead.
,
Aug 23 2017
The Argon2020 log public key in DER format. Martin
,
Aug 23 2017
Thank you for your request, we have started monitoring your log server. Should no issues be detected, the initial compliance monitoring phase will be complete on 21st November 2017 and we will update this bug shortly after that date to confirm.
,
Sep 4 2017
,
Nov 14 2017
The following root certificates should be accepted by this log within the next few days. This brings us up-to-date with the latest roots trusted by Apple, Microsoft and Mozilla. https://bugs.chromium.org/p/chromium/issues/attachment?aid=312118
,
Nov 14 2017
In addition to the above certificates, the following certificates will also be accepted: https://bugs.chromium.org/p/chromium/issues/attachment?aid=312144
,
Nov 21 2017
The NextAction date has arrived: 2017-11-21
,
Nov 23 2017
We have reduced the maximum number of entries returned by /ct/v1/get-entries to 100. This is to mitigate a performance issue that has been causing a small number of these requests to fail (less than 1%). We are investigating the underlying cause and intend to publish a postmortem on https://groups.google.com/a/chromium.org/forum/#!forum/ct-policy once that is complete.
,
Dec 1 2017
We've posted a post mortem on the latency issue here: https://groups.google.com/a/chromium.org/forum/#!topic/ct-policy/c1rU2kpHkJk Many thanks to awga for the observations.
,
Feb 21 2018
What's the current status of the Argon logs? It's been a two months since a note was posted and it's not clear if it has successfully passed the 90 day monitoring period (which ended 21st November 2017). Will Chrome be configured to trust these logs by April 30th?
,
Feb 27 2018
Devon, please advise once this log can be added to Chrome.
,
Feb 27 2018
This log has passed the initial 90 day compliance period and we will start the process to add this to Chrome.
,
Mar 1 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/79966f2ee55749a3d9494f8beb1bcd9a5dcca373 commit 79966f2ee55749a3d9494f8beb1bcd9a5dcca373 Author: Devon O'Brien <asymmetric@chromium.org> Date: Thu Mar 01 19:33:09 2018 Add Nimbus and Argon to Trusted CT Logs The following CT Logs have passed their monitoring period and are being added as trusted Logs in Chrome: Google Argon2018, Argon2019, Argon2020, Argon2021 Cloudflare Nimbus2018, Nimbus2019, Nimbus2020, Nimbus2021 Bug: 756814 , 756817 , 756818 , 756819 , 780654 , 780655 , 780656 , 780657 Change-Id: I6b8671db0dc7ba34b666345049934ed3e2b5705a Reviewed-on: https://chromium-review.googlesource.com/942688 Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Commit-Queue: Ryan Sleevi <rsleevi@chromium.org> Cr-Commit-Position: refs/heads/master@{#540254} [modify] https://crrev.com/79966f2ee55749a3d9494f8beb1bcd9a5dcca373/net/data/ssl/certificate_transparency/log_list.json
,
Mar 1 2018
,
Mar 1 2018
This bug requires manual review: We are only 4 days from stable. Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 1 2018
+awhalley@ for M65 merge review. +cmasso@ as FYI
,
Mar 1 2018
,
Mar 2 2018
,
Mar 2 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a293012d1d566826faba24c33e52343453fcedbd commit a293012d1d566826faba24c33e52343453fcedbd Author: Ryan Sleevi <rsleevi@chromium.org> Date: Fri Mar 02 18:06:44 2018 Add Nimbus and Argon to Trusted CT Logs The following CT Logs have passed their monitoring period and are being added as trusted Logs in Chrome: Google Argon2018, Argon2019, Argon2020, Argon2021 Cloudflare Nimbus2018, Nimbus2019, Nimbus2020, Nimbus2021 TBR=asymmetric@chromium.org (cherry picked from commit 79966f2ee55749a3d9494f8beb1bcd9a5dcca373) Bug: 756814 , 756817 , 756818 , 756819 , 780654 , 780655 , 780656 , 780657 Change-Id: I6b8671db0dc7ba34b666345049934ed3e2b5705a Reviewed-on: https://chromium-review.googlesource.com/942688 Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Commit-Queue: Ryan Sleevi <rsleevi@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#540254} Reviewed-on: https://chromium-review.googlesource.com/946568 Cr-Commit-Position: refs/branch-heads/3325@{#647} Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369} [modify] https://crrev.com/a293012d1d566826faba24c33e52343453fcedbd/net/data/ssl/certificate_transparency/log_list.json
,
Mar 2 2018
(M65 merge approval granted in 756814)
,
Apr 2 2018
,
Apr 16 2018
The attached root certificates should be accepted by this log within the next few days. This brings us up-to-date with the latest roots trusted by Apple, Microsoft and Mozilla.
|
||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||
Comment 1 by robpercival@chromium.org
, Aug 18 2017Labels: allpublic