Chrome CT 2021 Plans
Devon O'Brien
Hello ct-policy@,
At the beginning of 2020, we posted here with our 2020 CT Plans to help align expectations and share our progress with the CAs, CT Logs, Monitors and User Agents that make up the CT community and we'd like to continue this tradition into 2021. The themes tying together our CT work for this year are expanding the platforms enforcing CT, increasing the verifiability of CT Log operation, and where possible, remove Google as a critical dependency for CT to continue to thrive.
Here’s where we stand now on our 2020 CT goals as well as a highlight on our new projects for 2021:
Updates to our CT Policy and CT Log Operator Policy.
Starting November 1, 2020, Chrome moved to an updated CT Policy, which explains how certificates can become CT-compliant as well as an updated CT Log Policy, which describes what requirements we place on new and existing Log Operators to remain a part of the program.
In 2021, we expect the biggest change to our CT Policy to be the removal of the ‘One Google Log’ policy, which currently requires that certificates contain or accompany a SCT from a Google-operated CT Log in order to be deemed CT compliant. This long-standing goal has finally been made possible by our upcoming deployment of SCT auditing in Chrome. We will be following up with more detailed announcements regarding this change to ct-p...@chromium.org in the coming month.
CT Days Event
In light of travel restrictions and precautions against large gatherings, we held our first virtual CT Days event on September 8 - 9, 2020. We had between 50 and 60 folks from across the globe come together to talk about all things CT ranging from policy updates to real-world lessons learned from deploying CT Logs as well as discussion on possible future directions of CT. A link to the event notes and summary can be found here.
We were very pleased with how this event went and plan on hosting another such event later in 2021. If you would like to see a specific topic covered, or even lead a session yourself, please reach out so we can discuss further.
SCT Auditing
Our biggest project in 2020, which continues into early 2021 is the implementation of SCT auditing in Chrome. The initial version of this feature, which will hit Stable in Chrome 90 is opt-in and samples SCTs from Chrome clients to be audited against the view of CT Logs presented to Google.
In 2021, we have already begun designing improved versions of SCT Auditing in Chrome that increase the privacy and security properties of reporting SCTs. We expect these improvements to broaden the scope of SCTs able to be audited and make CT Log misbehavior significantly more detectable.
Dynamically Updatable CT Log List
Looking forward to 2021, we see the ability to rapidly deploy updated Log lists to Chrome clients as a key factor in being able to bring CT enforcement to Chrome on Android, which will be a big step forward in a more ubiquitous and transparent HTTPS ecosystem.
Included in this feature is a change to how, and for how long, CT will be enforced. Rather than relying on the release’s build date to determine whether to enforce CT during certificate evaluation, we will be moving to a system that refreshes the 10 week CT enforcement window when obtaining an updated timestamp from the most recent CT Log list.
By removing the dependency on build date, we aim to simplify CT behavior, and to ultimately expand access to Chromium’s CT implementation by re-enabling CT enforcement by default in Chromium for non-Chrome embedders.
Improved Compliance Monitoring
Work continued throughout 2020 on our updated Compliance Monitoring tooling, which will provide both finer-grained measurements over our existing tooling as well as expanding measurements to RFC 6962 APIs that are not currently actively monitored, despite being enforced in CT policies and standards. We’re not quite ready to share firm plans for deployment, but we will share with the community well in advance of a shift to this tooling for measuring policy compliance.
Technical Enforcement of Sharded CT Logs Expiry Range
This feature was the least critical of our 2020 goals and while we’re generally still in support of this feature, work on this has been back-burnered while we prioritized other projects.
CT Enforcement in Chrome on Android
As we touched on briefly when discussing the dynamically updatable CT Log List, one of our longstanding goals has been to bring CT enforcement to Chrome on Android, where it was not originally deployed due to a variety of technical limitations at the time. We are still fleshing out requirements for bringing CT to Chrome on Android; however, we expect our upcoming ability to rapidly deliver updated CT Log lists to remove one of the biggest obstacles towards deploying CT on a broader set of platforms.