Session | Presenter | Start Time | Duration |
Introductions & Logistics | Ryan / Devon | 9:00 am | 15 min |
The Direction of CT | Devon | 9:15 am | 15 min |
User Agent CT Policies | Devon | 9:30 am | 30 min |
Break out session selection/scheduling | Ryan / Devon | 10:00 am | 45 min |
Break | All | 10:45 am | 15 min |
Break out Sessions #1 | All | 11:00 am | 1 hour |
Lunch | All | 12:00 pm | 1 hour |
Break out Sessions #1 Presentations | Session Group Leads | 1:00 pm | 1 hour |
Next generation logs and Trillian | Al / et al | 2:00 pm | 30 min |
Break out Sessions #2 | All | 2:30 pm | 1 hour |
Break | All | 3:30 pm | 15 min |
Break out Sessions #2 Presentations | Session Group Leads | 3:45 pm | 1 hour |
Downtime | All | 4:45 pm | 1:15 hour |
Dinner | All | 6:00 pm | -- |
Introductions & Logistics | Ryan / Devon | 9:00 am | 30 min |
CT in the US Government | Lachelle and Deb | 9:30 am | 45 min |
Break out session selection/scheduling | Ryan / Devon | 10:15 am | 30 min |
Break | All | 10:45 am | 15 min |
Break out Sessions #3 | All | 11:00 am | 1 hour |
Lunch | All | 12:00 pm | 1 hour |
Break out Sessions #3 Presentations | Session Group Leads | 1:00 pm | 1 hour |
Let’s Encrypt and Certificate Transparency | Roland | 2:00 pm | 15 min |
2:30 pm | |||
Next Steps |
On November 2nd and 3rd, we held the second CT Policy Days event at Google NYC. Turn out for the event was great; we had over 40 people present in person and regularly had over 15 participating remotely.
We had representatives from browsers (Microsoft, Apple, Mozilla and Google) as well as from CAs, log operators, log monitors, enterprises, governments, and other interested parties.
The focus of the event was largely to provide an ecosystem status update and to clarify what would common elements and approaches should browsers include when defining their log inclusion policies.
We had presentations from the Google CT team where they brought up an instance of the Trillian Log Server real time, we heard about Apple’s implementation of CT, the US Government talked about their CT plans, and Let’s Encrypt discussed the plans to deploy a log server based on Trillian in 2018. Even though CloudFlare could not attend they did announce their new Trillian based log server at the same time of the event as a show of support and DigiCert discussed their new log that will be released soon.
The feedback from both local participants and remote participants was that the event was both constructive and a good use of their time. I know that within Google, we found the event hugely valuable in shaping how we will spend our efforts over the next year.
As we have done previously we structured the event into break-out sessions where the attendees expressed interest and willingness to discuss the various topics. Based on those conversations the following topics were discussed:
Log Compliance Monitoring and Availability
What happens in April 2018 (CT Enforcement)?
Overzealous Logging and Policy Implications (DoS, accept revoked/expired?)
Log Architecture & Scaling (Internal Operations)
Pain points in Log operation & encouraging new log operators to join the fray
Non-publicly trusted Logs & Use Cases
Impacts of CT to Site Operators & Cloud Services
Towards multiple UA Policies
Improving the Log Evaluation Period / Log Lifecycle
Log Operator Incident Response (Policy Violations)
RFC 6962-bis
Each breakout session was lead by an in-person attendee who also captured rough notes (where possible) and then presented back to the group. I have attached unedited copies of those notes from these conversations for reference.
At the close of the event, we discussed best timing for the next event and it seemed it made the most sense for it to happen some time proximal to the April, 2018 date that Chrome is targeting for CT Enforcement. There was also some interest in the event being coordinated with the IETF event in London in March just before the enforcement date. We would be interested in seeing feedback on list regarding timing and locations for the next instance of this event so please let us know.
I want to thank everyone who participated remotely or in person; this was a great event and that would not have been possible without each and every one of you.
Ryan Hurst and Devon O’Brien