New availability requirements for logs trusted by Chrome coming into effect March 31, 2024

[Carlos Joan Rafael Ibarra Lopez]

Hi ct-policy@,

We previously announced that Chrome would change how logs are monitored for compliance with our requirements, and how we define the 99% requirement for availability. This change will take effect on March 31, 2024. Since availability is calculated over a 90 day window, data will start to count towards the new requirement starting January 1st 2024. After this time, Chrome’s requirement for logs will be 99% availability on each endpoint (excluding get-entry-and-proof for now).

As mentioned on the previous email, the new availability values for each endpoint are published in csv format at https://www.gstatic.com/ct/compliance/endpoint_uptime.csv, and the minimum availability values seen for each log are published at https://www.gstatic.com/ct/compliance/min_uptime.csv. The latter is in the same format of the currently published https://www.gstatic.com/ct/compliance/uptime.csv. Once we fully transition, we will stop publishing uptime.csv to avoid confusion and reflect this change in policy.

The current numbers show that several logs across multiple log operators are struggling to stay highly available. This is an important reality to acknowledge about the present CT ecosystem -- logs are not as available or as robust as we'd hope. We invite log operators to work where they can to improve their log availability, and to let us know of any pain points you might have or if there's anything we can do to help.

We will not be taking any action against logs for these pre-existing per-endpoint availability issues, however we will expect that per-endpoint availability does not get worse. New logs from any operator will be expected to meet all availability requirements from the start of the compliance monitoring period.

Please let us know if there are any questions or concerns,

-Carlos, from the Chrome CT team

[Lanh Huynh]

Vào 0:34, Th 4, 20 thg 12, 2023 'Carlos Joan Rafael Ibarra Lopez' via Certificate Transparency Policy <ct-p...@chromium.org> đã viết:

--
You received this message because you are subscribed to the Google Groups "Certificate Transparency Policy" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ct-policy+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/ct-policy/CAABgKfUb6%3Ds7sNx75VJfmQ6YewX25STaXyzzRN3V0nOm33F9dQ%40mail.gmail.com.

[Xiaoming Yang]

Can we disclose detail of the request rate or request User-Agent about the compliance monitoring? It is useful for troubleshooting whether there is a network problem or a server application problem.

[Lanh Huynh]

Vào 9:14, Th 4, 20 thg 12, 2023 Xiaoming Yang <xiaomi...@trustasia.com> đã viết:

--

You received this message because you are subscribed to the Google Groups "Certificate Transparency Policy" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ct-policy+...@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/ct-policy/749a3c41-5f40-4326-899c-48a99556185dn%40chromium.org.

[Lanh Huynh]

Vào 20:50, Th 4, 20 thg 12, 2023 Lanh Huynh <l0934...@gmail.com> đã viết:

[Carlos Joan Rafael Ibarra Lopez]

Hi Xiaoming,

The user agent performing the requests is the same as the existing merge delay monitor ("Google-CT-bot (+https://goo.gl/chrome/ct-log-policy)").

Request rate varies by endpoint, but we are planning approximately one request every 3 minutes for most endpoints (except add-chain and add-pre-chain, which will remain at the current rate used for merge delay monitoring).

Please let us know if you have any other questions,

-Carlos