New issue
Advanced search Search tips

Issue 889033 link

Starred by 2 users

Issue metadata

Status: Assigned
Owner:
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Task



Sign in to add a comment

Certificate Transparency - Google "argon" Log Servers

Project Member Reported by robpercival@chromium.org, Sep 25

Issue description

This bug will be used as an umbrella bug for the temporally sharded Google Argon Certificate Transparency Logs. It is being created at the request of Chrome, who have said they would prefer to track a set of temporally sharded Logs with one bug.

The combination of the certificate expiry ranges of the Google Argon Logs allows any certificate that chains to a trusted root and has a lifetime of 27 months or less to be logged to one of the Argon Logs. Further Argon Logs will be turned up in the future in order to maintain the window for accepted certificates.

Operator details for the Argon Logs:
- Operator: Google
- Email: google-ct-logs@googlegroups.com
- Persons authorized to represent the Log operator: Al Cutter, Pierre Phaneuf, Paul Hadfield, Martin Smith, Rob Percival, Kat Joyce, David Drysdale, Gary Belvin, Pavel Kalinnikov, Tatiana Merkulova

Links to the bugs for the existing Logs:

https://ct.googleapis.com/logs/argon2017:  https://crbug.com/756813 
https://ct.googleapis.com/logs/argon2018:  https://crbug.com/756814 
https://ct.googleapis.com/logs/argon2019:  https://crbug.com/756817 
https://ct.googleapis.com/logs/argon2020:  https://crbug.com/756818 
https://ct.googleapis.com/logs/argon2021:  https://crbug.com/756819 

All updates for the existing Argon Logs will be posted on this bug from now on.
Any new Argon Logs will be announced / will request inclusion on this bug.
 
argon_roots.pem
853 KB Download
Argon2022 inclusion request:

This Log is public and provides open access. There are no fees for submitting certificates or any other usage, including queries and mirroring. No prior contracts or agreements are required before the Log may be used.

Details:

Log ID: KXm+8J45OSHwVnOfY6V35b5XfZxgCvj5TV0mXCVdx4Q=
Log URL: https://ct.googleapis.com/logs/argon2022
Certificate Expiry Range: Jan 01 2022 00:00:00Z inclusive to Jan 01 2023 00:00:00Z exclusive
MMD: 24 hours
Server public key: file attached (argon2022.pem)
Accepted roots: The same roots as for existing Argon Logs.

Additional Notes:

We will freeze the Log once its inclusion expiry window has passed and close it for new submissions as of Jan 01 2023 00:00:00Z. We will then request that trust be withdrawn from this Log by Chromium as all the certificates it contains will have expired and will therefore be no longer valid.

Submissions and queries are rate limited to protect our infrastructure. Rate limited requests will be denied with an HTTP error status code. We intend to provide serving capacity to support any reasonable usage level but additional automatic mechanisms exist that will operate to protect our infrastructure in emergency situations.

Implementation: 

This Log is based on our Golang implementation of Certificate Transparency. The open source version of this code can be found at: https://github.com/google/trillian and https://github.com/google/certificate-transparency-go and it is made available under an Apache 2.0 license.
argon2022.pem
178 bytes Download
Could you provide the public key in DER format, as required by Chrome Log Policy (not to mention my monitoring workflow ;-)?  Thanks!
No problem, I've attached the public key in DER format, as output by the following command:
$ openssl pkey -pubin -in argon2022.pem -outform der -out argon2022.der
argon2022.der
91 bytes Download
Owner: katjoyce@google.com
Log Operator phone number pulled from other Google Argon applications:
phone number: +442070313000 (Google UK)

Argon 2022 application looks good; over to CT Team for monitoring.
Thank you for your request, we have started monitoring your Log server.
Should no issues be detected, the initial compliance monitoring phase
will be complete on Feb 6th 2019 and we will update this bug
shortly after that date to confirm.

Sign in to add a comment