Certificate Transparency - Cloudflare "nimbus2020" Log Server Inclusion Request
Reported by
n...@cloudflare.com,
Nov 1 2017
|
|||||||||||||||||
Issue descriptionContact Information for the Log Operator * An email or e-mail alias that is continuously monitored by the Log Operator: ct-logs@cloudflare.com * A phone number: +1 (424) 353-4399 * A list of person(s) authorized to represent the Log Operator: ** Brendan McMillion (brendan@cloudflare.com) ** Nick Sullivan (nick@cloudflare.com) ** Patrick Donahue (pat@cloudflare.com) ** Zi Lin (zi@cloudflare.com) ** Ivan Babrou (ivan@cloudflare.com) A public HTTP endpoint that responds to all Log Client Messages indicated in RFC 6962, Section 4: https://ct.cloudflare.com/logs/nimbus2020 Log ID: Xqdz+d9WwOe1Nkh90EngMnqRmgyEoRIShBh1loFxRVg= nimbus2020 is an open and free log. Certificates that are anchored by a root that is included in root store from major browsers and operating systems such as those operated by Microsoft, Apple, and Mozilla will be trusted. This trust store will be managed on Github at https://github.com/cloudflare/cfssl_trust. * The Nimbus logs are sharded based on the leaf certificate’s expiration date ** Nimbus2020 will only accept certificates that expire between Jan 01 2020 00:00:00Z inclusive to Jan 01 2021 00:00:00Z exclusive * Revoked and expired certificates will be accepted if their dates fall within the accepted range and they chain up to a trusted root at the time of submission and the trust chain is composed of unexpired and unrevoked CA certificates * We reserve the right to rate limit submissions by ** IP address ** Trusted root ** An overall maximum throughput, as dictated by operational requirements * Rate limited requests will be denied with an HTTP error status code * The Maximum Merge Delay (MMD) of the Log is 24h * All of the Accepted Root Certificates of the Log ** (attached) We will freeze nimbus2020 once its inclusion expiry window has passed and close it for new submissions as of Jan 01 2021 00:00:00Z. We will then request that trust be withdrawn from this log by Chromium as all the certificates it contains will have expired.
,
Nov 13 2017
The log application looks good and it meets all the criteria for inclusion. Assigning to begin the monitoring window. Note @Nick: Would it be possible to describe your rate limiting mechanism by IP, root, and overall throughput?
,
Nov 13 2017
,
Nov 14 2017
Thank you for your request, we have started monitoring your log server. Should no issues be detected, the initial compliance monitoring phase will be complete on the 12th of February 2018 and we will update this bug shortly after that date to confirm.
,
Nov 15 2017
@Devon We return a 403 Forbidden if there are more than a maximum number of unsequenced leaves. Currently, this is 500k, which is <1hr at 200ops. We reserve the right to implement per-IP and per-root rate limiting with a similar mechanism when under unexpected operational duress.
,
Nov 20 2017
,
Feb 11 2018
The NextAction date has arrived: 2018-02-11
,
Feb 12 2018
,
Feb 12 2018
This log has passed the initial 90 day compliance period and we will start the process to add this to Chrome.
,
Mar 1 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/79966f2ee55749a3d9494f8beb1bcd9a5dcca373 commit 79966f2ee55749a3d9494f8beb1bcd9a5dcca373 Author: Devon O'Brien <asymmetric@chromium.org> Date: Thu Mar 01 19:33:09 2018 Add Nimbus and Argon to Trusted CT Logs The following CT Logs have passed their monitoring period and are being added as trusted Logs in Chrome: Google Argon2018, Argon2019, Argon2020, Argon2021 Cloudflare Nimbus2018, Nimbus2019, Nimbus2020, Nimbus2021 Bug: 756814 , 756817 , 756818 , 756819 , 780654 , 780655 , 780656 , 780657 Change-Id: I6b8671db0dc7ba34b666345049934ed3e2b5705a Reviewed-on: https://chromium-review.googlesource.com/942688 Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Commit-Queue: Ryan Sleevi <rsleevi@chromium.org> Cr-Commit-Position: refs/heads/master@{#540254} [modify] https://crrev.com/79966f2ee55749a3d9494f8beb1bcd9a5dcca373/net/data/ssl/certificate_transparency/log_list.json
,
Mar 1 2018
,
Mar 1 2018
This bug requires manual review: We are only 4 days from stable. Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 1 2018
Pls apply appropriate OSs label. Thank you.
,
Mar 1 2018
,
Mar 1 2018
,
Mar 1 2018
,
Mar 1 2018
,
Mar 1 2018
,
Mar 1 2018
,
Mar 1 2018
+awhalley@ for M65 merge review. +cmasso@ as FYI.
,
Mar 1 2018
,
Mar 2 2018
,
Mar 2 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a293012d1d566826faba24c33e52343453fcedbd commit a293012d1d566826faba24c33e52343453fcedbd Author: Ryan Sleevi <rsleevi@chromium.org> Date: Fri Mar 02 18:06:44 2018 Add Nimbus and Argon to Trusted CT Logs The following CT Logs have passed their monitoring period and are being added as trusted Logs in Chrome: Google Argon2018, Argon2019, Argon2020, Argon2021 Cloudflare Nimbus2018, Nimbus2019, Nimbus2020, Nimbus2021 TBR=asymmetric@chromium.org (cherry picked from commit 79966f2ee55749a3d9494f8beb1bcd9a5dcca373) Bug: 756814 , 756817 , 756818 , 756819 , 780654 , 780655 , 780656 , 780657 Change-Id: I6b8671db0dc7ba34b666345049934ed3e2b5705a Reviewed-on: https://chromium-review.googlesource.com/942688 Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Commit-Queue: Ryan Sleevi <rsleevi@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#540254} Reviewed-on: https://chromium-review.googlesource.com/946568 Cr-Commit-Position: refs/branch-heads/3325@{#647} Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369} [modify] https://crrev.com/a293012d1d566826faba24c33e52343453fcedbd/net/data/ssl/certificate_transparency/log_list.json
,
Mar 2 2018
(M65 merge approval granted in 756814)
,
Apr 2 2018
|
|||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||
Comment 1 by rsleevi@chromium.org
, Nov 1 2017Owner: asymmetric@chromium.org
Status: Untriaged (was: Unconfirmed)