Rejecting DigiCert Yeti 2023 CT Log Shard in Chrome

[Chris Thompson]

Following on the previous transition of the DigiCert Yeti2023 Log (https://yeti2023.ct.digicert.com/log/) to Retired last year (see the previous announcement on ct-policy@), all certificates depending on SCTs from this log to validate in Chrome have now expired. This log will now be transitioned to the Rejected state, which means it will be removed entirely from the log list shipped to Chrome. SCTs from this log – past, present, or future – will no longer count towards a certificate’s CT compliance, regardless of how the SCTs are delivered.

CT-enforcing versions of Chrome will receive this update in the next few days, and the change will affect the log list hard-coded into the Chrome Binary starting in Chrome 121.

What does this mean for site operators

This log transitioning to Rejected should require no action by site operators, since all certificates relying on SCTs issued by this log should now be expired and/or no longer in use. This is true whether sites are delivering SCTs via OCSP, TLS extension, or embedded in the certificate itself.

What does this mean for CAs

There should be no impact to CAs from Rejecting this log. If a CA still has this log configured for production certificate logging purposes, it should be removed and the CA should ensure that they are logging certificates to a policy-satisfying set of Usable CT logs.

What does this mean for Log Operators

Once this CT log transitions to Rejected, Chrome no longer requires that it continues operation. DigiCert should check with other CT-enforcing user agents to ensure that there are no issues with ceasing operation of this CT log.

Log operators for CT logs not listed above do not need to take any action.