Hi everyone,
Last year, we made plans to transition the non-temporally sharded Google Certificate Transparency (CT) Logs to be read-only. However, as discussed on ct-policy, this would have caused issues for users of Apple products running certain software versions, which rely on these Logs.
With this in mind, we are now happy to announce that we have confirmed with Apple exactly which roots they need our Logs to continue accepting to prevent these problems. Apple have announced that they will be limiting their EV SSL certificate issuance to three roots for the foreseeable future. These roots are:
DigiCert High Assurance EV Root CA (https://crt.sh/?caid=28, https://crt.sh/?id=46)
DigiCert Global Root G2 (https://crt.sh/?caid=5885, https://crt.sh/?id=8656329)
DigiCert Global Root G3 (https://crt.sh/?caid=5699, https://crt.sh/?id=8568700)
(the above 3 roots with be referred to as ‘the specified roots’ for the rest of this message)
In their announcement, Apple also mentioned that currently their EV SSL certificates are only issued by three intermediate DigiCert CAs. The intermediate CAs used to issue Apple EV certificates may change in the future.
With the above in mind, and alongside the ever growing size of our largest Logs, we have put together the following plan to restrict submissions to Skydiver, Icarus, Pilot and Rocketeer.
As a first step, we will restrict the accepted roots for Skydiver, Icarus, Pilot and Rocketeer to be only the specified roots (see above). We will then continue to work closely with Apple and may look to restrict the accepted roots of these Logs further to just actively used intermediate CAs. We will follow up with another announcement if we do decide to do that.
The planned timeline for the initial root set change is as follows:
March 17th 2020: Icarus (https://ct.googleapis.com/icarus) changes its root set to be only the specified roots.
April 14th 2020: Rocketeer (https://ct.googleapis.com/rocketeer) changes its root set to be only the specified roots.
May 12th 2020: Pilot (https://ct.googleapis.com/pilot) changes its root set to be only the specified roots.
June 9th 2020: Skydiver (https://ct.googleapis.com/skydiver) changes its root set to be only the specified roots.
We hope that this timeline will give anyone logging to Skydiver, Icarus, Rocketeer or Pilot enough notice to switch over to the temporally sharded Argon and Xenon Logs. Only Skydiver, Icarus, Rocketeer and Pilot will be affected by these changes. The Argon and Xenon Logs will continue operation as usual.
We will be updating each of the respective chromium bugs for Skydiver, Icarus, Rocketeer and Pilot with the planned timeline shortly.
If anyone has any questions about this, or needs any advice or assistance switching over to Argon and/or Xenon, please do reach out to the Google CT team at google-...@googlegroups.com
Thanks!
The CT team at Google
--
You received this message because you are subscribed to the Google Groups "Certificate Transparency Policy" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ct-policy+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/ct-policy/CAO%2BqTA%3D_HeAaJUEzQsyV_%3Dw2-T06Vxze3jQbEn3iRAwjN-q%3DYw%40mail.gmail.com.