Groups
Sign in
Groups
Certificate Transparency Policy
Conversations
About
Send feedback
Help
Monitoring "missing" accepted roots
350 views
Skip to first unread message
Rob Stradling
unread,
Oct 11, 2023, 4:40:05 PM
10/11/23
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Certificate Transparency Policy
The
Chrome CT Log Policy
expects logs
"to accept logging submissions from CAs that are trusted by default in Chrome across all its supported platforms, including ChromeOS, Android, Linux, Windows, macOS, iOS"
. Chrome uses the Chrome Root Store on
all platforms except iOS
, on which it uses Apple's trust store.
Similarly, the
Apple CT log program
requires logs to
"trust all root CA certificates included in Apple's trust store"
.
Building on crt.sh's existing tracking of root stores and of logs' accepted roots, today I've added more monitoring to show if/how each log is deviating from the policy requirements mentioned above:
https://crt.sh/monitored-logs
summarises the findings in two new "# Roots Missing" columns.
https://crt.sh/accepted-roots-missing
is a new page that shows the details of which roots are "missing" from which logs.
--
Rob Stradling
Senior Research & Development Scientist
Sectigo Limited
Reply all
Reply to author
Forward
0 new messages