New issue
Advanced search Search tips

Issue 859093 link

Starred by 1 user
Status: Assigned
Owner:
katjoyce@google.com
Cc:
eranm@chromium.org
asymmetric@chromium.org
rsleevi@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 2
Type: Task



Sign in to add a comment

Certificate Transparency - Cloudflare "nimbus2022" Log Server Inclusion Request

Reported by brendan@cloudflare.com, Jun 29 2018 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36

Steps to reproduce the problem:
N/A

What is the expected behavior?

What went wrong?
N/A

Did this work before? N/A 

Chrome version: 67.0.3396.99  Channel: stable
OS Version: OS X 10.13.5
Flash Version: 

* A phone number: +1 (424) 353-4399
* A list of person(s) authorized to represent the Log Operator:
** Brendan McMillion (brendan@cloudflare.com)
** Nick Sullivan (nick@cloudflare.com)
** Patrick Donahue (pat@cloudflare.com)

A public HTTP endpoint that responds to all Log Client Messages indicated in RFC 6962, Section 4:
https://ct.cloudflare.com/logs/nimbus2022

Log ID: QcjKsd8iRkoQxqE6CUKHXk4xixsD6+tLx2jwkGKWBvY=

nimbus2022 is an open and free log. Certificates that are anchored by a root that is included in root store from major browsers and operating systems such as those operated by Microsoft, Apple, and Mozilla will be trusted.

* The Nimbus logs are sharded based on the leaf certificate’s expiration date
** Nimbus2022 will only accept certificates that expire between Jan 01 2022 00:00:00Z inclusive to Jan 01 2023 00:00:00Z exclusive
* Revoked and expired certificates will be accepted if their dates fall within the accepted range and they chain up to a trusted root at the time of submission and the trust chain is composed of unexpired and unrevoked CA certificates
* We reserve the right to rate limit submissions by
** IP address
** Trusted root
** An overall maximum throughput, as dictated by operational requirements
* Rate limited requests will be denied with an HTTP error status code
* The Maximum Merge Delay (MMD) of the Log is 24h
* All of the Accepted Root Certificates of the Log
** (attached)

We will freeze nimbus2022 once its inclusion expiry window has passed and close it for new submissions as of Jan 01 2023 00:00:00Z. We will then request that trust be withdrawn from this log by Chromium as all the certificates it contains will have expired.
pubkey.nimbus2022.der
91 bytes Download

Comment 1 by rsesek@chromium.org, Jun 29 2018

Components: Internals>Network>CertTrans
Labels: OS-Android OS-Chrome OS-Linux OS-Windows

Comment 2 by phanindra.mandapaka@chromium.org, Aug 13

Cc: phanindra.mandapaka@chromium.org
Labels: Triaged-ET TE-NeedsTriageHelp
As the issue is not reproducible at TE end, As it is related to "Cloud flare nimbus2022 Log Server". Hence adding 'TE-NeedsTriageHelp' label and requesting the Internals>Network>CertTrans team to look into the issue and help in further triaging.

Thanks.!

Comment 3 by robpercival@google.com, Oct 3

Cc: -phanindra.mandapaka@chromium.org
Labels: -Type-Bug -TE-NeedsTriageHelp -Via-Wizard-Other -Triaged-ET Type-Task
Owner: asymmetric@chromium.org
Status: Assigned (was: Unconfirmed)

Comment 4 by asymmetric@chromium.org, Nov 6

Owner: katjoyce@google.com
Thank you for requesting monitoring. The log application looks good and it meets all the criteria for inclusion. Assigning to begin the monitoring window. 

Just for confirmation since the roots aren't attached, are nimbus2022 and nimbus2023 using the same set of accepted root certificates as the other nimbus shards? (that is ca-bundle.pem in https://bugs.chromium.org/p/chromium/issues/detail?id=780657)

Comment 5 by brendan@cloudflare.com, Nov 6 

All the shards accept the same set of roots, but I'll attach the current one because there's been so many changes.
ca-bundle.pem
570 KB Download

Comment 6 by katjoyce@google.com, Nov 8 

Thank you for your request, we have started monitoring your Log server.
Should no issues be detected, the initial compliance monitoring phase
will be complete on Feb 6th 2019 and we will update this bug
shortly after that date to confirm.

Sign in to add a comment