Shut down of 2018 and 2019 shards

[Jeremy Rowley]

Hey all, 

To clean up operations, we're decomissioning the old shards of Yeti and Nessie. We plan to freeze the yeti and nessie logs for 2018 and 2019 next week. We plan to shut down the 2018 logs on May 1 and shut down the 2019 logs on June 1. The 2020+ shards will all remain active and operational of course.

Any concerns with this plan?

Jeremy

[Kurt Roeckx]

On Sat, Apr 25, 2020 at 08:25:34AM -0700, Jeremy Rowley wrote:
> Hey all,
>
> To clean up operations, we're decomissioning the old shards of Yeti and
> Nessie. We plan to freeze the yeti and nessie logs for 2018 and 2019 next
> week. We plan to shut down the 2018 logs on May 1 and shut down the 2019
> logs on June 1. The 2020+ shards will all remain active and operational of
> course.

You first talk about freeze, and then shut down, and it's not
really clear to me what you mean. They all still seem to be
generating new STHs. I assume that by freeze you mean that they
will stop issuing new STHs, but that it will stay available in
read only mode, and that with shut down it won't be availble at
all.

So that would mean that the 2018 logs will just be shut down next
week, the 2019 will go to read only mode next week, and then a
month later get shut down?


Kurt

[Jeremy Rowley]

Thanks for the question.  Freeze does mean read only and shut down does mean it'll be taken offline and no longer available. 

The timeline had planned is:

1) Week of April 27: Turn the following into read only:

• Nessie 2018
• Yeti 2018
• Nessie 2019
• Yeti 2019

2) On May 1 we plan to remove all access to the following logs:

• Nessie 2018
• Yeti 2018

3) On June 1, we plan to remove all access to the following logs:

• Nessie 2019
• Yeti 2019

Jeremy

[Pavel Kalinnikov]

Hi Jeremy,

Thank you for giving the notice and the schedule. May 1 is Friday of the Week of April 27, so it's unclear how much time you are planning between freezing the 2018 shards and turning them down. Could you elaborate that a bit?

My hope is that a) we catch your last STHs before the logs go offline; b) we stop fetching from these logs (ideally, this should happen between you freeze it and shut it down).

Thank you,

Pavel

--
You received this message because you are subscribed to the Google Groups "Certificate Transparency Policy" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ct-policy+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/ct-policy/04b314d7-74d8-49cd-a06b-dccf1c35acb3%40chromium.org.

[Kurt Roeckx]

Hi Jeremy,

I recently lost my copy of all logs, so I started downloading all
of them again. I've switched to a higher rate since your
announcement, but I'm hitting rate limits, and it looks like I
won't be able to get everything of the 2018 logs by the first of
May. It looks like I still need about 8 days.

Are there any mirrors of it available?

If not, would it be possible to delay the shut down?


Kurt

On Sat, Apr 25, 2020 at 10:12:27AM -0700, Jeremy Rowley wrote:
> Thanks for the question. Freeze does mean read only and shut down does
> mean it'll be taken offline and no longer available.
>
> The timeline had planned is:
>
> 1) Week of April 27: Turn the following into read only:
>

> - Nessie 2018
> - Yeti 2018
> - Nessie 2019
> - Yeti 2019

>
> 2) On May 1 we plan to remove all access to the following logs:
>

> - Nessie 2018
> - Yeti 2018

>
> 3) On June 1, we plan to remove all access to the following logs:
>
>

> - Nessie 2019
> - Yeti 2019

>
>
> Jeremy
>
> On Saturday, April 25, 2020 at 9:47:10 AM UTC-6, Kurt Roeckx wrote:
> >
> > On Sat, Apr 25, 2020 at 08:25:34AM -0700, Jeremy Rowley wrote:
> > > Hey all,
> > >
> > > To clean up operations, we're decomissioning the old shards of Yeti and
> > > Nessie. We plan to freeze the yeti and nessie logs for 2018 and 2019
> > next
> > > week. We plan to shut down the 2018 logs on May 1 and shut down the 2019
> > > logs on June 1. The 2020+ shards will all remain active and operational
> > of
> > > course.
> >
> > You first talk about freeze, and then shut down, and it's not
> > really clear to me what you mean. They all still seem to be
> > generating new STHs. I assume that by freeze you mean that they
> > will stop issuing new STHs, but that it will stay available in
> > read only mode, and that with shut down it won't be availble at
> > all.
> >
> > So that would mean that the 2018 logs will just be shut down next
> > week, the 2019 will go to read only mode next week, and then a
> > month later get shut down?
> >
> >
> > Kurt
> >
> >
>

[Brendan McMillion]

Hey Kurt, Google operates mirrors of these logs at:

• https://ct.googleapis.com/logs/us1/mirrors/digicert_nessie{2018-2023}
• https://ct.googleapis.com/logs/eu1/mirrors/digicert_yeti{2018-2023}

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/ct-policy/20200427095617.GF2915%40roeckx.be.

[Kurt Roeckx]

On Mon, Apr 27, 2020 at 12:31:45PM -0700, Brendan McMillion wrote:
> Hey Kurt, Google operates mirrors of these logs at:
>

> - https://ct.googleapis.com/logs/us1/mirrors/digicert_nessie{2018-2023}
> - https://ct.googleapis.com/logs/eu1/mirrors/digicert_yeti{2018-2023}

Hi Brendan,

Thanks.

Do you know about URLs of other mirrors Google has? I could only
find old URLs that no longer seem to work.


Kurt

> > https://groups.google.com/a/chromium.org/d/msgid/ct-policy/20200427095617.GF2915%40roeckx.be
> > .
> >

[Brendan McMillion]

I got those from this message: https://groups.google.com/a/chromium.org/forum/#!msg/ct-policy/lZaXMbRKtNo/yg2LugQcAwAJ

I don't know if there's a proper registry

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/ct-policy/20200427204043.GH2915%40roeckx.be.

[Kurt Roeckx]

On Sat, Apr 25, 2020 at 10:12:27AM -0700, Jeremy Rowley wrote:

> Thanks for the question. Freeze does mean read only and shut down does
> mean it'll be taken offline and no longer available.
>
> The timeline had planned is:
>
> 1) Week of April 27: Turn the following into read only:
>

> - Nessie 2018
> - Yeti 2018
> - Nessie 2019

> - Yeti 2019

>
> 2) On May 1 we plan to remove all access to the following logs:
>

> - Nessie 2018
> - Yeti 2018

>
> 3) On June 1, we plan to remove all access to the following logs:
>
>

> - Nessie 2019
> - Yeti 2019

They all 4 still seem to be generating new STHs:
yeti2018 | 2020-05-02 01:00:29.015+00
yeti2019 | 2020-05-02 01:00:33.14+00
nessie2018 | 2020-05-02 01:00:55.25+00
nessie2019 | 2020-05-02 01:00:15.972+00

(With the normal 12 hour delay.)

Can you updates us when things changed?


Kurt

[Jeremy Rowley]

We've turned off new tree signings. We plan on fully shutting down the 2018 and 2019 shards July 1.  We also plan to remove all roots except the one required by Apple from CT1 on July 1 in preparation of deprecating that log.

Question on CT2. Do we need to keeep this running? Or can we shut it down as well? What would the impact be on Google if the log is decommissioned since it is no longer trusted? 

[Devon O'Brien]

Hi Jeremy,

Thanks for the updates on the 2018, 2019, and CT1 Logs.

Regarding CT2 (DigiCert Log Server 2 as named in our log_list.json), Chrome does not have any expectations that you continue operating this Log after transitioning to Retired. Before spinning it down, it might be worth ensuring that other CT-enforcing user agents are in agreement (i.e. Apple).  

For archival purposes, Google will continue to operate the mirror of 'DigiCert Log Server 2', which can be reached at https://ct.googleapis.com/logs/us1/mirrors/digicert_ct2.

-Devon