Monitoring "missing" accepted roots

[Rob Stradling]

The Chrome CT Log Policy expects logs "to accept logging submissions from CAs that are trusted by default in Chrome across all its supported platforms, including ChromeOS, Android, Linux, Windows, macOS, iOS".  Chrome uses the Chrome Root Store on all platforms except iOS, on which it uses Apple's trust store.

Similarly, the Apple CT log program requires logs to "trust all root CA certificates included in Apple's trust store".

Building on crt.sh's existing tracking of root stores and of logs' accepted roots, today I've added more monitoring to show if/how each log is deviating from the policy requirements mentioned above:

• https://crt.sh/monitored-logs summarises the findings in two new "# Roots Missing" columns.
• https://crt.sh/accepted-roots-missing is a new page that shows the details of which roots are "missing" from which logs.

--

Rob Stradling

Senior Research & Development Scientist

Sectigo Limited