New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 6 users

Issue metadata

Status: WontFix
Owner:
Closed: Mar 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: ----



Sign in to add a comment
link

Issue 780653: Certificate Transparency - Cloudflare "nimbus2017" Log Server Inclusion Request

Reported by n...@cloudflare.com, Nov 1 2017

Issue description

Contact Information for the Log Operator
* An email or e-mail alias that is continuously monitored by the Log Operator: ct-logs@cloudflare.com
* A phone number: +1 (424) 353-4399
* A list of person(s) authorized to represent the Log Operator:
** Brendan McMillion (brendan@cloudflare.com)
** Nick Sullivan (nick@cloudflare.com)
** Patrick Donahue (pat@cloudflare.com)
** Zi Lin (zi@cloudflare.com)
** Ivan Babrou (ivan@cloudflare.com)

A public HTTP endpoint that responds to all Log Client Messages indicated in RFC 6962, Section 4:
https://ct.cloudflare.com/logs/nimbus2017

Log ID: H7w24ALt6X9AGZ6Gs1c7ikIX2AGHdGrQ2gOgYFTSDfQ=

nimbus2017 is an open and free log. Certificates that are anchored by a root that is included in root store from major browsers and operating systems such as those operated by Microsoft, Apple, and Mozilla will be trusted. This trust store will be managed on Github at https://github.com/cloudflare/cfssl_trust.

* The Nimbus logs are sharded based on the leaf certificate’s expiration date
** Nimbus2017 will only accept certificates that expire between Jan 01 2017 00:00:00Z inclusive to Jan 01 2018 00:00:00Z exclusive
* Revoked and expired certificates will be accepted if their dates fall within the accepted range and they chain up to a trusted root at the time of submission and the trust chain is composed of unexpired and unrevoked CA certificates
* We reserve the right to rate limit submissions by
** IP address
** Trusted root
** An overall maximum throughput, as dictated by operational requirements
* Rate limited requests will be denied with an HTTP error status code
* The Maximum Merge Delay (MMD) of the Log is 24h
* All of the Accepted Root Certificates of the Log
** (attached)

We will freeze nimbus2017 once its inclusion expiry window has passed and close it for new submissions as of Jan 01 2018 00:00:00Z. We will then request that trust be withdrawn from this log by Chromium as all the certificates it contains will have expired.
 
pubkey.nimbus2017.der
91 bytes Download
ca-bundle.pem
528 KB Download

Comment 1 by rsleevi@chromium.org, Nov 1 2017

Components: -Infra Internals>Network>CertTrans
Labels: -Infra-PRR
Owner: asymmetric@chromium.org

Comment 2 by a...@alexcohn.com, Nov 2 2017

There are only 60 days remaining in 2017. By the time this log finishes its 60 day monitoring period, it will be frozen and no longer useful to include in Chromium. Am I missing something, or is this moot?

Comment 3 Deleted

Comment 4 by grahamed...@gmail.com, Nov 9 2017

My monitor didn't see any STHs between the STHs signed at 2017-11-08 05:02:27.965+00 and 2017-11-09 06:08:34.123+00, which is longer than the log's MMD.

I didn't see the same problem on the 2018->2021 logs.

Comment 5 by asymmetric@chromium.org, Nov 13 2017

Owner: ----
Status: Started (was: Untriaged)
The Log Application looks good, but as mentioned in Comment 2, this log will have been frozen before the log evaluation period has completed.

I recommend we do not pursue monitoring of this Log based on the fact that it will never contain time-valid certificates by time of inclusion.

Comment 6 by asymmetric@chromium.org, Nov 13 2017

Owner: asymmetric@chromium.org

Comment 7 by rsleevi@chromium.org, Nov 13 2017

Cc: certific...@googlegroups.com

Comment 8 by n...@cloudflare.com, Jan 3 2018

nimbus2017 will be officially frozen today. No new STHs will be signed beyond this point.

Comment 9 by asymmetric@chromium.org, Mar 28 2018

Status: WontFix (was: Started)
Hi Nick,

Thanks for the original application as well as confirming that Nimbus2017 was frozen on Jan 3, 2018. 

Since Nimbus2017 Log reached the end of its expiry range before it would have completed monitoring and is already frozen, we're closing this bug as WontFix.

Sign in to add a comment