Issue metadata
Sign in to add a comment
|
Inclusion of GDCA CT Log 1
Reported by
wangsn1...@gmail.com,
Sep 25 2017
|
||||||||||||||||||||||
Issue descriptionContact Information: - Log Operator: GDCA - Email: wangsn1206@gmail.com - Telephone: +86(20)83487228-805 - Authorized Personnel: Wang Shengnan, Zheng Huitao HTTPS Endpoint: https://log.gdca.com.cn/ Maximum Merge Delay: 24 hours Public Key: see attached (gdca-log-pubkey.der) Accepted Roots: see attached (gdca-trusted-roots.pem) the "Merge Delay Monitor Root" already add in the trusted roots file. Description: - Open acceptance policy: This log is hosted on the AWS in the U.S, and accepts all roots that are enabled for the server authentication trust purpose in one or more of the Microsoft, Mozilla, Apple and Google root programs. We will update this log's list of accepted roots from time to time in accordance with this policy. - Free: There is no cost to CAs for having a root accepted by this log. There is also no cost for submitting certificates/precertificates to this log. There are no contracts to sign at present, but we reserve the right to require contracts in the future. - Rate limits: Submissions are rate-limited by IP address. Upon request, GDCA will consider raising a submitter's rate limit, but GDCA reserves the right to decline such requests (if GDCA does not believe there is sufficient spare capacity) or to charge for this service in the future. - Reasonable Commercial Efforts: GDCA expects to be able to accept submissions for newly issued certificates, but GDCA asks that submitters refrain from submitting (to this log) large numbers of certificates that were not recently issued. GDCA reserves the right to remove (temporarily or permanently) any root from this log's list of accepted roots, without prior notice, if GDCA is unable to cope with the rate of submissions associated with that root. - Disclaimer: GDCA's CT Log is provided "AS-IS". The log is an aggregate of information from GDCA and third parties not under GDCA's control and, therefore, GDCA does not guarantee accuracy of information from third party sources or contributors. Further, GDCA does not guarantee the performance or availability to any end users of the log, whether to certification authorities or other submitters or to any parties or individuals desiring to read the status or the content of the log. We reserve the right to update this log policy from time to time.
,
Sep 26 2017
Adding the label 'TE-NeedsTriageHelp' as the issue is out of TE's scope.
,
Oct 12 2017
Is there a planned timescale in which GDCA plans to operate this log, at this IP? For example, is this something GDCA has made plans for only one year of operation, or multiple years? I ask in light of the discussion surrounding the temporal sharding at https://groups.google.com/a/chromium.org/d/msg/ct-policy/_eXIfMf7LQQ/rt9GG3orAwAJ , which provides for clear timelines for how long a log will operate until it's rotated or gracefully shut down. Regarding monitoring, I believe this meets sufficient criteria to begin monitoring, although we should wait for further details on policy.
,
Oct 12 2017
,
Oct 16 2017
Hi Ryan, Thanks for your comment. We read the discussion you referred, and we came up with the following planned timescale after discussion within our team: Certificate Expiry Range: [2018-01-01 00:00:00 UTC, 2023-01-01 00:00:00 UTC) Let me know if you have any further questions. Thanks.
,
Oct 16 2017
Thank you for providing more feedback. Adding requester "rsleevi@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 18 2018
,
Apr 20 2018
The NextAction date has arrived: 2018-04-20
,
May 11 2018
,
May 11 2018
,
May 15 2018
Hi there, I'm just setting up the monitoring for these Logs, and I notice that the email address provided is what looks to be a personal gmail address. I also notice that the previously submitted GDCA Logs used a gdca business email address - capoc@gdca.com.cn. I just wanted to double check that wangsn1206@gmail.com is the contact email address you'd like associated with these Logs?
,
May 15 2018
Hi,thanks for your comments.I am Xiu Lei with GDCA, the reason we put an gmail address is because our corporate email ocasionally blocks e-mails from overseas previously,which has now been fixed, therefore, we would like to update our contact information as follows: - Log Operator: GDCA - Email: capoc@gdca.com.cn - Telephone: +86(20)83487228-864 - Authorized Personnel: Xiu Lei Many Thanks!
,
May 15 2018
Thank you for your request, we have started monitoring your Log server. Should no issues be detected, the initial compliance monitoring phase will be complete on August 13th 2018 and we will update this bug shortly after that date to confirm.
,
May 16 2018
Hello Xiu Lei, Thank you for providing your updated contact information. Could you possibly update this request using an official @gdca.com.cn email address or reach out to me via email using an official address? We just want to ensure that this request (especially the phone number change) is coming from an official GDCA representative and it's difficult to validate this from your gmail account.
,
May 16 2018
Hi Devon, Many thanks for your comment. I understand your concern, but it seems that only a Google account (which requires a gmail address in our case) can post on this platform. I will reach out to you via our official email address (capoc@gdca.com.cn) to confirm the request. Many thanks!
,
May 25 2018
,
Aug 15
This log has passed the initial 90 day compliance period and we will start the process to add this to Chrome.
,
Aug 15
,
Aug 15
The log's description states: "Open acceptance policy: This log is hosted on the AWS in the U.S, and accepts all roots that are enabled for the server authentication trust purpose in one or more of the Microsoft, Mozilla, Apple and Google root programs. We will update this log's list of accepted roots from time to time in accordance with this policy." However, at the present time only two roots are accepted by this log: C=CN, O=GUANG DONG CERTIFICATE AUTHORITY CO.,LTD., CN=GDCA TrustAUTH R5 ROOT C=GB, ST=London, O=Google UK Ltd., OU=Certificate Transparency, CN=Merge Delay Monitor Root Could GDCA clarify what its acceptance policy is?
,
Aug 16
Hi Many thanks for your comments. The acceptance policy for the GDCA CT Logs remains unchanged, our team is now working to add all the trusted root certificates in NSS and in the Apple Root Certificate Program, we will update here soon. Thanks. Xiu Lei GDCA
,
Aug 17
Hi The accepted roots are updated, and this CT Log now accepts the certificates issued by a total of 527 root certificates. Please see the attached PEM file. Many thanks! Xiu Lei GDCA
,
Aug 17
,
Aug 18
Un-incorporated SCTs from this log were found. Please see the discussion at: https://groups.google.com/a/chromium.org/forum/#!topic/ct-policy/Emh3ZaU0jqI
,
Nov 5
Per our post on the discussion of this incident[1], GDCA Log 1 will not be included as a qualified CT Log in Chrome. GDCA is welcome to apply for qualification with a new CT Log with new key material by filing a new application as described in the Chrome Log Policy and we strongly encourage pursuing the use of an actively maintained CT Log code base. [1] https://groups.google.com/a/chromium.org/d/msg/ct-policy/Emh3ZaU0jqI/SvnygFVsBAAJ
,
Nov 8
Hi All, We understand and accept your decision. We are now actively working on a Go-based CT Log, and may re-apply for inclusion in the near future. Thank you for your time. Xiu Lei GDCA |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by eranm@chromium.org
, Sep 25 2017