As part of the inclusion process for recognizing Certificate Transparency logs included in Chrome, we have determined that the
WoSign CT Log,
https://ct.wosign.com , has been having ongoing issues and is no longer measured at 99% uptime. As the Chromium Certificate Transparency Log Policy states, 99% uptime is part of the initial and ongoing requiremens that Log Operators are expected to abide by.
Because of this, the WoSign CT Log will not be included in Chrome. While SCTs from the WoSign CT Log may continue to be included after that point, they will not count towards the requirement of one non-Google log, and if embedded in certificates, they will not count towards the minimum number of SCTs required. All SCTs from the WoSign CT Log, past, present, and future will not count towards the requirement that at least one SCT is from a valid log at time of evaluation.
What does this mean for site operators
This change should have no impact on your operations. As Chromium-based code did not yet trust the WoSign CT Log, this change in status should not affect any of your certificates or servers.
What does this mean for CAs
If you are embedding SCTs in your certificates, SCTs from the WoSign CT Log will not count towards the minimum requirements. This is important to highlight, because as explained in the
Chromium Certificate Transparency EV/CT plan, CAs may include SCTs within certificates from logs that are pending qualification, provided that all logs are accepted as qualified prior to the TLS handshake. Any certificates which relied upon a presumption of inclusion will find that, due to the disqualification, SCTs from the WoSign CT Log will not be counted as qualified at the time of the TLS handshake. As a result, any such certificates which fail to include a sufficient number of SCTs, not counting the WoSign CT Log's SCTs, will not be trusted in Chrome.