Changing the roots of the non-temporally-sharded Google Logs

[Kat Joyce]

Hi everyone,

Last year, we made plans to transition the non-temporally sharded Google Certificate Transparency (CT) Logs to be read-only.  However, as discussed on ct-policy, this would have caused issues for users of Apple products running certain software versions, which rely on these Logs.

With this in mind, we are now happy to announce that we have confirmed with Apple exactly which roots they need our Logs to continue accepting to prevent these problems.  Apple have announced that they will be limiting their EV SSL certificate issuance to three roots for the foreseeable future.  These roots are:

DigiCert High Assurance EV Root CA (https://crt.sh/?caid=28, https://crt.sh/?id=46)

DigiCert Global Root G2 (https://crt.sh/?caid=5885, https://crt.sh/?id=8656329)

DigiCert Global Root G3 (https://crt.sh/?caid=5699, https://crt.sh/?id=8568700)

(the above 3 roots with be referred to as ‘the specified roots’ for the rest of this message)

In their announcement, Apple also mentioned that currently their EV SSL certificates are only issued by three intermediate DigiCert CAs.  The intermediate CAs used to issue Apple EV certificates may change in the future.

With the above in mind, and alongside the ever growing size of our largest Logs, we have put together the following plan to restrict submissions to Skydiver, Icarus, Pilot and Rocketeer.

 

As a first step, we will restrict the accepted roots for Skydiver, Icarus, Pilot and Rocketeer to be only the specified roots (see above).  We will then continue to work closely with Apple and may look to restrict the accepted roots of these Logs further to just actively used intermediate CAs.  We will follow up with another announcement if we do decide to do that.

The planned timeline for the initial root set change is as follows:

March 17th 2020: Icarus (https://ct.googleapis.com/icarus) changes its root set to be only the specified roots.

April 14th 2020: Rocketeer (https://ct.googleapis.com/rocketeer) changes its root set to be only the specified roots.

May 12th 2020: Pilot (https://ct.googleapis.com/pilot) changes its root set to be only the specified roots.

June 9th 2020: Skydiver (https://ct.googleapis.com/skydiver) changes its root set to be only the specified roots.

We hope that this timeline will give anyone logging to Skydiver, Icarus, Rocketeer or Pilot enough notice to switch over to the temporally sharded Argon and Xenon Logs.  Only Skydiver, Icarus, Rocketeer and Pilot will be affected by these changes.  The Argon and Xenon Logs will continue operation as usual.

We will be updating each of the respective chromium bugs for Skydiver, Icarus, Rocketeer and Pilot with the planned timeline shortly.

If anyone has any questions about this, or needs any advice or assistance switching over to Argon and/or Xenon, please do reach out to the Google CT team at google-...@googlegroups.com

Thanks!

The CT team at Google

[Jeremy Rowley]

Hi Kat, 

Similar to your plan, we would like to restrict the roots that can use DigiCert CT1 to only the Apple-supported roots you mentioned above. Although these are DigiCert roots, the DigiCert CA will also no longer use CT1 for its own logging prior to issuance. We can't restrict third parties from logging certs chained to those roots on DigiCert's behalf (since, as you mentioned, the Apple intermediates may change), but we'd encourage all DigiCert certs to be submitted to one of the sharded logs instead of CT1. We will freeze CT1 completely after Apple transitions to the sharded logs. We plan on removing all roots except the ones identified in your post around the first part of May. 

We also would like to freeze the DigiCert CT2 log and disallow any additional logging. We would like to do this in July with the exact date TBD. The deprecation of these two logs will transition the DigiCert CT service to only providing sharded logs.

Are there any issues with this plan? We'd love feedback or any comments. 

Jeremy

--
You received this message because you are subscribed to the Google Groups "Certificate Transparency Policy" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ct-policy+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/ct-policy/CAO%2BqTA%3D_HeAaJUEzQsyV_%3Dw2-T06Vxze3jQbEn3iRAwjN-q%3DYw%40mail.gmail.com.

[Pierre Phaneuf]

Hi everyone,

We have been slightly delayed, but we just submitted the configuration change for Icarus, which will get rolled out tomorrow afternoon (UTC). Changes for other logs should be simpler, and are expected to be done following the schedule laid out by Kat in the previous email.

Regards,

Pierre, on behalf of the CT team at Google

[Pierre Phaneuf]

Hi everyone,

A reminder that we are expecting to change the configuration for Rocketeer on Tuesday.

Regards,
Pierre, on behalf of the CT team at Google

[Kat Joyce]

Hi all,

We have now made the change to restrict the accepted roots of Pilot to the roots specified in this thread.  We expect the change to go live sometime tomorrow.

Thanks!

Kat, on behalf of the CT team at Google

[Kat Joyce]

And finally, Skydiver has also now had its accepted roots restricted.  And so ends our work to swap over the roots fo all of our non-temporally sharded Logs :)

Thanks!

Kat, on behalf of the CT team at Google