New issue
Advanced search Search tips

Issue 801624 link

Starred by 9 users

Issue metadata

Status: Fixed
Owner:
Closed: Jan 10
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 1
Type: Bug



Sign in to add a comment

DigiCert High Performance Log 2

Reported by rowley...@gmail.com, Jan 12 2018

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36

Steps to reproduce the problem:
This is the second DigiCert high performance/sharded log. We plan on replacing the Symantec logs with these, and will stop operating the Symantec logs around Sep 2018. By then, all certs expected to work in Chrome will be migrated to DigiCert's infrastructure. There are a handful of small CAs using those logs. We'll contact them and let them know of the replacement. 

This log, like Yeti, is open to all public trusted CAs free of charge. Nessie and Yeti are our two future-looking logs that are built on our scale able infrastructure. Nessie was tested up to about a billion certs. Like Yeti, Nessie consists of five logs, sharded in one year increments based on when the certificate expires. 

The PEM is attached for all five logs. 
MMD is 24 hours for all logs

Contact info will be:
Email: ctops@digicert.com
Phone: 801-633-8482
Authorized persons: Jeremy Rowley, Rick Roos, Dan Timpson, Wade Choules (all of us are on the ctops email  alias)

Here are the URL’s and their Certificate Expiry Range:
https://nessie2018.ct.digicert.com/log   Dec 12 2017 00:00:00Z inclusive to Jan 01 2019 00:00:00Z exclusive
https://nessie2019.ct.digicert.com/log   Jan 01 2019 00:00:00Z inclusive to Jan 01 2020 00:00:00Z exclusive
https://nessie2020.ct.digicert.com/log   Jan 01 2020 00:00:00Z inclusive to Jan 01 2021 00:00:00Z exclusive
https://nessie2021.ct.digicert.com/log   Jan 01 2021 00:00:00Z inclusive to Jan 01 2022 00:00:00Z exclusive
https://nessie2022.ct.digicert.com/log   Jan 01 2022 00:00:00Z inclusive to Jan 01 2023 00:00:00Z exclusive

What is the expected behavior?

What went wrong?
All roots trusted in the NSS root store are included by default in this log.

Did this work before? N/A 

Chrome version: 63.0.3239.132  Channel: stable
OS Version: 10.0
Flash Version:
 
nessie-public-keys.zip
1.1 KB Download
Labels: Triaged-ET TE-NeedsTriageHelp Needs-Triage-M63
The issue seems to be out of TE-scope as it is related to analysing performance log. Hence, adding label TE-NeedsTriageHelp for further investigation from dev team.

Thanks...!!
Components: Internals>CertAnalysis
Cc: certific...@googlegroups.com
Components: -Internals>CertAnalysis Internals>Network>CertTrans
Labels: -Arch-x86_64 -TE-NeedsTriageHelp -Via-Wizard-Other -Needs-Triage-M63 -Triaged-ET OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac
Owner: asymmetric@chromium.org
Status: Assigned (was: Unconfirmed)

Comment 4 by a...@alexcohn.com, Jan 30 2018

Are the 2019-2022 logs' allowed ranges configured correctly? They have no certificates in them, and when I try to add a 2019-expiring certificate to the 2019 shard, I get this error: "The certificate does not expire within the allowed range."

Comment 5 by rowley...@gmail.com, Jan 30 2018

Looking into it.  Thanks!

Comment 6 by rowley...@gmail.com, Jan 30 2018

Fixed now.  We accidentally set all the logs to 2018 when rolling them to
production. Sorry about that!
Has Google started monitoring the set of nessie logs, and if so, when did that start and when do you expect the 90-day period to end?
Nessie 2018 has incorporated a certificate expiring on 2020-06-01 at log index 102684.

I've raised the negative impacts this can have on the ecosystem (and potential mitigations) in this ct-policy thread: https://groups.google.com/a/chromium.org/forum/#!topic/ct-policy/FNj7S4mbmi0

Comment 9 by rowley...@gmail.com, Feb 28 2018

Looks like we had bug in our pre-cert submission code. We deployed a patch to both Nessie and Yeti to fix it. 

Comment 10 by rickr...@gmail.com, Mar 28 2018

We are adding the 'DigiCert Trusted Root G4' root to our CT server.

-----BEGIN CERTIFICATE-----
MIIFkDCCA3igAwIBAgIQBZsbV56OITLiOQe9p3d1XDANBgkqhkiG9w0BAQwFADBi
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3Qg
RzQwHhcNMTMwODAxMTIwMDAwWhcNMzgwMTE1MTIwMDAwWjBiMQswCQYDVQQGEwJV
UzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQu
Y29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3QgRzQwggIiMA0GCSqG
SIb3DQEBAQUAA4ICDwAwggIKAoICAQC/5pBzaN675F1KPDAiMGkz7MKnJS7JIT3y
ithZwuEppz1Yq3aaza57G4QNxDAf8xukOBbrVsaXbR2rsnnyyhHS5F/WBTxSD1If
xp4VpX6+n6lXFllVcq9ok3DCsrp1mWpzMpTREEQQLt+C8weE5nQ7bXHiLQwb7iDV
ySAdYyktzuxeTsiT+CFhmzTrBcZe7FsavOvJz82sNEBfsXpm7nfISKhmV1efVFiO
DCu3T6cw2Vbuyntd463JT17lNecxy9qTXtyOj4DatpGYQJB5w3jHtrHEtWoYOAMQ
jdjUN6QuBX2I9YI+EJFwq1WCQTLX2wRzKm6RAXwhTNS8rhsDdV14Ztk6MUSaM0C/
CNdaSaTC5qmgZ92kJ7yhTzm1EVgX9yRcRo9k98FpiHaYdj1ZXUJ2h4mXaXpI8OCi
EhtmmnTK3kse5w5jrubU75KSOp493ADkRSWJtppEGSt+wJS00mFt6zPZxd9LBADM
fRyVw4/3IbKyEbe7f/LVjHAsQWCqsWMYRJUadmJ+9oCw++hkpjPRiQfhvbfmQ6QY
uKZ3AeEPlAwhHbJUKSWJbOUOUlFHdL4mrLZBdd56rF+NP8m800ERElvlEFDrMcXK
chYiCd98THU/Y+whX8QgUWtvsauGi0/C1kVfnSD8oR7FwI+isX4KJpn15GkvmB0t
9dmpsh3lGwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
hjAdBgNVHQ4EFgQU7NfjgtJxXWRM3y5nP+e6mK4cD08wDQYJKoZIhvcNAQEMBQAD
ggIBALth2X2pbL4XxJEbw6GiAI3jZGgPVs93rnD5/ZpKmbnJeFwMDF/k5hQpVgs2
SV1EY+CtnJYYZhsjDT156W1r1lT40jzBQ0CuHVD1UvyQO7uYmWlrx8GnqGikJ9yd
+SeuMIW59mdNOj6PWTkiU0TryF0Dyu1Qen1iIQqAyHNm0aAFYF/opbSnr6j3bTWc
fFqK1qI4mfN4i/RN0iAL3gTujJtHgXINwBQy7zBZLq7gcfJW5GqXb5JQbZaNaHqa
sjYUegbyJLkJEVDXCLG4iXqEI2FCKeWjzaIgQdfRnGTZ6iahixTXTBmyUEFxPT9N
cCOGDErcgdLMMpSEDQgJlxxPwO5rIHQw0uA5NBCFIRUBCOhVMt5xSdkoF1BN5r5N
0XWs0Mr7QbhDparTwwVETyw2m+L64kW4I1NsBm9nVX9GtUw/bihaeSbSpKhil9Ie
4u1Ki7wb/UdKDd9nZn6yW0HQO+T0O/QEY+nvwlQAUaCKKsnOeMzV6ocEGLPOr0mI
r/OSmbaz5mEP0oUA51Aa5BuVnRmhuZyxm7EAHu/QD09CbMkKvO5D+jpxpchNJqU1
/YldvIViHTLSoCtU7ZpXwdv6EM8Zt4tKG48BtieVU+i2iW1bvGjUI+iLUaJW+fCm
gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+
-----END CERTIFICATE-----


Owner: katjoyce@google.com
Application looks good; over to the CT Team for monitoring. 
Not counting the to-be-decommissioned Symantec-branded logs, DigiCert already has two logs trusted by Chrome (ct1.digicert-ct.com/log and ct2.digicert-ct.com/log).  DigiCert is also applying for the inclusion of Yeti in https://bugs.chromium.org/p/chromium/issues/detail?id=796333

With the new three log limit, only one of Yeti or Nessie can be accepted.  Considering that Nessie 2018 contains several certificates expiring *after* 2018, I think this application should be closed in favor of Yeti.
Actually, I'd prefer to shut down CT2 and get Nessie and Yeti included.
However, we wanted to migrate CT1 to our new system before decommissioning
CT2. Is there a timeframe when this new log policy should go into effect? I
can work to decommission CT2 by then
There does still need to be a discussion about the fact that Nessie2018 contains certificates that expire after their stated certificate expiration range, and what that means for the Log.

However, in the interest of getting the monitoring period started, we have now started monitoring the Nessie Logs.  The initial compliance monitoring phase will be complete on July 2nd 2018 and we will update this bug shortly after that date to confirm.

I am starting the monitoring period now, so that in the case that some agreement is come to that allows the 2018 issue to not prevent the Logs from being included in Chrome, these Logs will not have to wait the full 90 days after that decision is made to go through the inclusion process.

Comment 15 by rickr...@gmail.com, Jun 12 2018

We are adding the 'SSL.com EV Root Certification Authority RSA R2' root to all Nessie logs.

-----BEGIN CERTIFICATE-----
MIIF6zCCA9OgAwIBAgIIVrYpzTS8ePYwDQYJKoZIhvcNAQELBQAwgYIxCzAJBgNV
BAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEQMA4GA1UEBwwHSG91c3RvbjEYMBYGA1UE
CgwPU1NMIENvcnBvcmF0aW9uMTcwNQYDVQQDDC5TU0wuY29tIEVWIFJvb3QgQ2Vy
dGlmaWNhdGlvbiBBdXRob3JpdHkgUlNBIFIyMB4XDTE3MDUzMTE4MTQzN1oXDTQy
MDUzMDE4MTQzN1owgYIxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEQMA4G
A1UEBwwHSG91c3RvbjEYMBYGA1UECgwPU1NMIENvcnBvcmF0aW9uMTcwNQYDVQQD
DC5TU0wuY29tIEVWIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgUlNBIFIy
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAjzZlQOHWTcDXtOlG2mvq
M0fNTPl9fb69LT3w23jhhqXZuglXaO1XPqDQCEGD5yhBJB/jchXQARr7XnAjssuf
OePPxU7Gkm0mxnu7s9onnQqG6YE3Bf7wcXHswxzpY6IXFJ3vG2fThVUCAtZJycxa
4bH3bzKfydQ7iEGonL3Lq9ttewkfokxykNorCPzPPFTOZw+oz12WGQvE43LrrdF9
HSfvkusQv1vrO6/PgN3B0pYEW3p+pKk8OHakYo6gOV7qd89dAFmPZiw+B6KjBSYR
aZfqhbcPlgtLyEDhULouisv3D5oi53+aNxPN8k0TayHRwMwi8qFG9kRpnMphNQcA
b9ZhCBHqurj26bNg5U257J8UZslXWNvNh2n4ioYSA0e/ZhN2rHd9NCSFg83XqpyQ
Gp8hLH94t2S42Oim9HizVcuE0jLEeK6jj2HdzghTreyI/BXkmg3mnxp3zkyPuBQV
PWKchjgGAGYS5Fl2WlPAApiiECtoRHuOec4zSnaqW4EWG7WK2NAAe15itAnWhmMO
pgWVSbooi4iTsjQc2KRVbrcc0N6ZVTsj9CLg+SlmJuwgUHfbSguPvuUCYHBBXtSu
UDkiFCbLsjtzdFVHB3mBOagwE0TlBIqulhMlQg+5U8Sb/M3kHN48+qvWBkofZ6aY
MBzdLNvcGJVXZsb/XItW9XcCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAfBgNV
HSMEGDAWgBT5YLvU49U09rj1BoAlp3PbRmmonjAdBgNVHQ4EFgQU+WC71OPVNPa4
9QaAJadz20ZpqJ4wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQBW
s47LCp1Jjr+kxJG7ZhcFUZh1++VQLHqe8RT6q9OKPv+RKY9ji9i0qVQBDb6Thi/5
Sm3HXvVX+cpVHBK+Rw82xd9qt9t1wkclf7nxY/hoLVUE0fKNsKTPvDxeH3jnpaAg
cLAExbf3cqfeIg29MyVGjGSSJuM+LmOW2puMPfgYCdcDzH2GguDKBAdRUNf/ktUM
79qGn5nX67evaOI5JpS6aLe/g9Pqemc9YmeuJeVy6OLk7K4S9ksrPJ/psEDzOFSz
/bdoyNrGj1E8svuR3Bznm53htw1yj+KkxKl4+esUrMZDBcJlOSgYAsOCsp0FvmXt
ll9ldDz7CTUue5wT/RsPXcdtgTpWD8w74a8CLyKsRspGPKAcTNZEtF4uXBVmCeEm
Kf7GUmG6sXP/wwyc5WxqlD8UykAWlYTzWamsX0xhk23RO8yilQwipmdnRC652dKK
QbNmC1r7fSOl8hqw/96bg5Qu0T/fkreRrwU7ZcegbLHNYhLDkBvjJc40vG93drEQ
w/cFGsDWr3RiSBd3kmmQYRzelYB0VI8YHMPzA9C/pEN1hlMYegouCRw2n5H9gooi
S9EOUCXdywMMF8mDAAhONU2Ki+3wApRmLER/y5UnlhetCTCstnEXbosX9hwJ1C07
mKVx01QT2WDz9UtmT/rx7iASjbSsV7FFY6GsdqnC+w==
-----END CERTIFICATE-----
Owner: asymmetric@chromium.org
These logs have now passed the initial 90 day compliance period.

However, the discussion about the fact that Nessie2018 contains certificates that expire after their stated certificate expiration range, and what that means for the Log has still not yet happened.  Assigning to Chrome Security to make a decision on this.

Devon - if the Nessie Logs get the go-ahead to be added to Chrome, assign back to me and I will do the work on our side to make this happen.
We are adding the 'Atos TrustedRoot 2011' root to all the Nessie logs.

-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIIXDPLYixfszIwDQYJKoZIhvcNAQELBQAwPDEeMBwGA1UE
AwwVQXRvcyBUcnVzdGVkUm9vdCAyMDExMQ0wCwYDVQQKDARBdG9zMQswCQYDVQQG
EwJERTAeFw0xMTA3MDcxNDU4MzBaFw0zMDEyMzEyMzU5NTlaMDwxHjAcBgNVBAMM
FUF0b3MgVHJ1c3RlZFJvb3QgMjAxMTENMAsGA1UECgwEQXRvczELMAkGA1UEBhMC
REUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCVhTuXbyo7LjvPpvMp
Nb7PGKw+qtn4TaA+Gke5vJrf8v7MPkfoepbCJI419KkM/IL9bcFyYie96mvr54rM
VD6QUM+A1JX76LWC1BTFtqlVJVfbsVD2sGBkWXppzwO3bw2+yj5vdHLqqjAqc2K+
SZFhyBH+DgMq92og3AIVDV4VavzjgsG1xZ1kCWyjWZgHJ8cblithdHFsQ/H3NYkQ
4J7sVaE3IqKHBAUsR320HLliKWYoyrfhk/WklAOZuXCFteZI6o1Q/NnezG8HDt0L
cp2AMBYHlT8oDv3FdU9T1nSatCQujgKRz3bFmx5VdJx4IbHwLfELn8LVlhgf8FQi
eowHAgMBAAGjfTB7MB0GA1UdDgQWBBSnpQaxLKYJYO7Rl+lwrrw7GWzbITAPBgNV
HRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFKelBrEspglg7tGX6XCuvDsZbNshMBgG
A1UdIAQRMA8wDQYLKwYBBAGwLQMEAQEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3
DQEBCwUAA4IBAQAmdzTblEiGKkGdLD4GkGDEjKwLVLgfuXvTBznk+j57sj1O7Z8j
vZfza1zv7v1Apt+hk6EKhqzvINB5Ab149xnYJDE0BAGmuhWawyfc2E8PzBhj/5kP
DpFrdRbhIfzYJsdHt6bPWHJxfrrhTZVHO8mvbaG0weyJ9rQPOLXiZNwlz6bb65pc
maHFCN795trV1lpFDMS3wrUU77QR/w4VtfX128a961qn8FYiqTxlVMYVqL2Gns2D
lmh6cYGJ4Qvh6hEbaAjMaZ7snkGeRDImeuKHCnE96+RapNLbxc3G3mB/ufNPRJLv
KrcYPqcZ2Qt9sTdBQrC6YB3y/gkRsPCHe6ed
-----END CERTIFICATE-----

I just reported the following to ctops@digicert.com regarding Nessie 2022:

Since approximately 2018-08-31 01:07 UTC,
https://nessie2022.ct.digicert.com has been serving a certificate that
is valid only for nessie2021.ct.digicert.com.

If you ignore the certificate error, the get-sth endpoint
returns an STH that is signed with Nessie 2021's key:

$ curl -k https://nessie2022.ct.digicert.com/log/ct/v1/get-sth
{ "tree_size": 19458, "timestamp": 1535691600148, "sha256_root_hash": "J22GoiIfWlU8ODssTx9+jpkDoVgDws+pf7r0LFavck0=", "tree_head_signature": "BAMASDBGAiEAiY\/djyUe\/yiy2c7JSsb38v1ecodl1y5Q9\/YNI60+swoCIQCvUHF9cHw\/\/ftRbBjZSrCYet5iJrFSsBGllRvB3cjXBg==" }(tintin../usr2/andrew)

Here are the DNS records being used to resolve
nessie2022.ct.digicert.com:

nessie2022.ct.digicert.com. 3584 IN     CNAME   ct-nessie-2021-lb-973220067.us-east-2.elb.amazonaws.com.
ct-nessie-2021-lb-973220067.us-east-2.elb.amazonaws.com. 44 IN A 52.14.21.18
ct-nessie-2021-lb-973220067.us-east-2.elb.amazonaws.com. 44 IN A 18.217.114.242
Nessie has been approved to become a Qualified CT Log and will be incorporated into an upcoming release of Chrome.

Note: Certificates logged outside of a Log Shard's expiry range will function until the Log is retired in Chrome, after which point such certificates relying on these SCTs may stop functioning due to updated clients no longer recognizing the Log Shard as Qualified.
Is there an idea for what version of Chrome the Nessie logs will include into such as 71 (fingers crossed) or 72?

Thanks,
Rick
friendly ping :)
Project Member

Comment 22 by bugdroid1@chromium.org, Jan 8

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/deff9cc833191536b85769a23e8a35b79d05775f

commit deff9cc833191536b85769a23e8a35b79d05775f
Author: Devon O'Brien <asymmetric@chromium.org>
Date: Tue Jan 08 22:19:20 2019

Add DigiCert Nessie CT Logs

Adding Nessie 2018, 2019, 2020, 2021 2022 CT Log shards to the list of
Qualified CT Logs.

Bug:  801624 
Change-Id: Ib1f0f83bbd18c47ef55f862091416450e034a345
Reviewed-on: https://chromium-review.googlesource.com/c/1391872
Commit-Queue: Ryan Sleevi <rsleevi@chromium.org>
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#620903}
[modify] https://crrev.com/deff9cc833191536b85769a23e8a35b79d05775f/components/certificate_transparency/data/log_list.json

Status: Fixed (was: Assigned)
Labels: Target-72 M-72
Labels: -Pri-2 Merge-Request-72 Pri-1
Requesting merge to M72 - safe, data only change.
Project Member

Comment 26 by sheriffbot@chromium.org, Jan 10

Labels: -Merge-Request-72 Merge-Review-72 Hotlist-Merge-Review
This bug requires manual review: M72 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: govind@(Android), kariahda@(iOS), djmm@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -Merge-Review-72 Merge-Approved-72
Approving merge to M72 branch 3626 based on comment #25. Please merge ASAP. Thank you.
Pls merge your change to M72 branch 3626 latest by 1:00 PM PT, Monday (11/14) so we can pick it up for next week beta release. Thank you.
Project Member

Comment 29 by sheriffbot@chromium.org, Jan 14 (6 days ago)

Cc: gov...@chromium.org awhalley@google.com
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 30 by awhalley@google.com, Jan 14 (5 days ago)

Owner: awhalley@google.com
I can do the merge
Project Member

Comment 31 by bugdroid1@chromium.org, Jan 14 (5 days ago)

Labels: -merge-approved-72 merge-merged-3626
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9ec335acd6c6d60bf679eea6c771bfb17d4622a6

commit 9ec335acd6c6d60bf679eea6c771bfb17d4622a6
Author: Andrew R. Whalley <awhalley@chromium.org>
Date: Mon Jan 14 19:18:14 2019

[M72 merge] Add DigiCert Nessie CT Logs

Adding Nessie 2018, 2019, 2020, 2021 2022 CT Log shards to the list of
Qualified CT Logs.

TBR=asymmetric@chromium.org

(cherry picked from commit deff9cc833191536b85769a23e8a35b79d05775f)

Bug:  801624 
Change-Id: Ib1f0f83bbd18c47ef55f862091416450e034a345
Reviewed-on: https://chromium-review.googlesource.com/c/1391872
Commit-Queue: Ryan Sleevi <rsleevi@chromium.org>
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#620903}
Reviewed-on: https://chromium-review.googlesource.com/c/1409843
Reviewed-by: Andrew Whalley <awhalley@chromium.org>
Cr-Commit-Position: refs/branch-heads/3626@{#671}
Cr-Branched-From: d897fb137fbaaa9355c0c93124cc048824eb1e65-refs/heads/master@{#612437}
[modify] https://crrev.com/9ec335acd6c6d60bf679eea6c771bfb17d4622a6/components/certificate_transparency/data/log_list.json

Project Member

Comment 32 by cr-audit...@appspot.gserviceaccount.com, Jan 14 (5 days ago)

Labels: Merge-Merged-72-3626
The following revision refers to this bug: 
https://chromium.googlesource.com/chromium/src.git/+/9ec335acd6c6d60bf679eea6c771bfb17d4622a6

Commit: 9ec335acd6c6d60bf679eea6c771bfb17d4622a6
Author: awhalley@chromium.org
Commiter: awhalley@chromium.org
Date: 2019-01-14 19:18:14 +0000 UTC

[M72 merge] Add DigiCert Nessie CT Logs

Adding Nessie 2018, 2019, 2020, 2021 2022 CT Log shards to the list of
Qualified CT Logs.

TBR=asymmetric@chromium.org

(cherry picked from commit deff9cc833191536b85769a23e8a35b79d05775f)

Bug:  801624 
Change-Id: Ib1f0f83bbd18c47ef55f862091416450e034a345
Reviewed-on: https://chromium-review.googlesource.com/c/1391872
Commit-Queue: Ryan Sleevi <rsleevi@chromium.org>
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#620903}
Reviewed-on: https://chromium-review.googlesource.com/c/1409843
Reviewed-by: Andrew Whalley <awhalley@chromium.org>
Cr-Commit-Position: refs/branch-heads/3626@{#671}
Cr-Branched-From: d897fb137fbaaa9355c0c93124cc048824eb1e65-refs/heads/master@{#612437}

Comment 33 by rickr...@gmail.com, Jan 16 (4 days ago)

Yeti2023 inclusion request:

We are adding the next partition to the Yeti logs to ensure they are usable by the time a certificate can expire within the range.

Contact info will be:
Email: ctops@digicert.com
Phone: 801-633-8482
Authorized persons: Jeremy Rowley, Rick Roos, Dan Timpson, Wade Choules (all of us are on the ctops email alias)

Log URL: https://yeti2023.ct.digicert.com/log
Certificate Expiry Range: Jan 01 2023 00:00:00Z inclusive to Jan 01 2024 00:00:00Z exclusive
MMD: 24 hours
Accepted roots: The same roots as for the existing Yeti Logs
Server public key: file attached (yeti_2023_public_key.der)
yeti_2023_public_key.der
91 bytes Download

Comment 34 by rickr...@gmail.com, Jan 16 (4 days ago)

Sorry, I posted this to the wrong bug.  Here is the correct post.

Nessie2023 inclusion request:

We are adding the next time partition to the Nessie logs to ensure they are usable by time a certificate can expire within the range.

Contact info will be:
Email: ctops@digicert.com
Phone: 801-633-8482
Authorized persons: Jeremy Rowley, Rick Roos, Dan Timpson, Wade Choules (all of us are on the ctops email alias)

Log URL: https://nessie2023.ct.digicert.com/log
Certificate Expiry Range: Jan 01 2023 00:00:00Z inclusive to Jan 01 2024 00:00:00Z exclusive
MMD: 24 hours
Accepted roots: The same roots as for the existing Nessie Logs
Server public key: file attached (nessie_2023_public_key.der)
nessie_2023_public_key.der
45 bytes Download

Comment 35 by a...@alexcohn.com, Jan 16 (4 days ago)

Are you sure that's the correct key for Nessie 2023? I'm trying to parse it with OpenSSL and getting errors; it's also about half the size of the other keys.

$ openssl pkey -inform der -pubin -in nessie_2023_public_key.der -noout -text
unable to load Public Key
4659537344:error:10067066:elliptic curve routines:ec_GFp_simple_oct2point:invalid encoding:crypto/ec/ecp_oct.c:312:
4659537344:error:10098010:elliptic curve routines:o2i_ECPublicKey:EC lib:crypto/ec/ec_asn1.c:1095:
4659537344:error:100D708E:elliptic curve routines:eckey_pub_decode:decode error:crypto/ec/ec_ameth.c:157:
4659537344:error:0B09407D:x509 certificate routines:x509_pubkey_decode:public key decode error:crypto/x509/x_pubkey.c:124:

Comment 36 by rickr...@gmail.com, Jan 16 (4 days ago)

Thanks for the catch. This should be the corrected key.
corrected_nessie_2023_public_key.der
91 bytes Download

Sign in to add a comment