Upcoming CT Log Shutdown: Aviator

[Ryan Sleevi]

The Google-operated log Aviator, https://ct.googleapis.com/aviator , will be shutting down and no longer accepting new certificate submissions, effective December 1, 2016 00:00:00 UTC. Existing SCTs will continue to count towards the requirement that at least one SCT is qualified at time of check, but no new SCTs will be issued after this date. The Log will still be expected to observe the Certificate Transparency in Chrome Policy, including the prohibition against serving conflicting views of the Merkle Tree.

What does this mean for site operators

If you are delivering SCTs embedded in the certificate, this should require no action on your part. All certificates previously issued will be unaffected by the Aviator Log shutting down. If you refresh or renew your certificate, your CA should be including sufficient and diverse SCTs from other logs that it should require no action on your part.

If you are delivering SCTs embedded in the OCSP response, via OCSP stapling, then for existing certificates, this should have no affect. If you refresh or renew your certificate, your CA should ensure that the new certificate complies with the Certificate Transparency in Chrome Policy.

If you are delivering SCTs via a TLS extension, then for existing certificates, this should have no effect. If you refresh or renew your certificate, you will need to update the SCTs being delivered, and the Aviator Log will no longer be usable to issue new certificates.

What does this mean for CAs

If you are embedding SCTs in your OCSP response, you can continue to provide SCTs from the Aviator Log for existing certificates. However, as new SCTs will no longer be able to be obtained from Aviator, you will need to log to a different log to ensure continued compliance.

If you are embedding SCTs in your certificates, the Aviator Log will cease issuing new SCTs on December 1, 2016. You will need to ensure your systems are capable and able to log to alternate logs, and to handle any failure codes that may arise when attempting to log.

What does this mean for monitors and auditors

In general, the same expectations of log operation will remain, except no new SCTs will be issued, and thus the MMD will no longer be tested. Cryptographic evidence of misbehaviour, such as providing a split view of the log, will result in the Log's removal.

In the future, as and when other non-Google logs shutdown, Google will strive to provide a frozen, read-only mirror of logs, available at a separate URL, to allow monitors and auditors to check inclusion proofs and compliance. As the Aviator Log is a Google-operated mirror, Google will continue serving the logs information at the current URL.

[Doug Beattie (Globalsign)]

Will icarus or skydiver be available prior to the December 1st date?  The latest status indicates they passed their Compliance monitoring and that the process to add them to Chromium was started on November 3rd.  If we can swap one Google log for another that will help ease the set of changes we need to make.

Doug

[Ryan Sleevi]

On Mon, Nov 21, 2016 at 10:17 AM, Doug Beattie (Globalsign) <douglas...@gmail.com> wrote:

Will icarus or skydiver be available prior to the December 1st date?  The latest status indicates they passed their Compliance monitoring and that the process to add them to Chromium was started on November 3rd.  If we can swap one Google log for another that will help ease the set of changes we need to make.

I suppose this is another question where it's unfortunately unclear the nuance of what you're asking.

Aviator will shut down on December 1st. That will affect the ability to issue SCTs entirely.

Icarus and Skydiver are scheduled for inclusion in Chrome 56, which is scheduled for release in late January. This means that until they are included, you cannot rely on SCTs being accepted from these logs. This is similar to how root  CA certificate inclusions work - approval and availability are two separate concepts.

As such, if you wish to have your certificates comply, you should use either the Pilot or Rocketeer logs to guarantee "Qualified at time of check" and "Once or currently qualified" until that time.