Announcing new availability monitoring and requirements for logs trusted by Chrome

580 views
Skip to first unread message

Carlos Joan Rafael Ibarra Lopez

unread,
Oct 6, 2023, 3:28:49 PM10/6/23
to Certificate Transparency Policy

Hi ct-policy@,


Chrome is changing how we monitor logs for compliance with our requirements, and while most changes will be invisible externally, the definition of availability for Chrome’s  99% uptime requirement will change. Before this new requirement takes effect, we wanted to explain these changes to log operators and the broader CT community.


Previously, our availability monitoring calculated log uptime using only the get-sth API endpoint, and did not monitor other endpoints described in RFC 6962. Our new infrastructure monitors and validates responses across all RFC-defined endpoints, producing per-endpoint availability numbers. With this change, we are planning to expand our policy to require 99% availability on all endpoints, such that any single endpoint under 99% would mean the log was out of compliance, regardless of other endpoints’ availability. We believe that this new definition presents a more accurate view of CT log health and ensures that recognized logs are meeting the needs of their consumers across all endpoints. 


The new availability values for each endpoint are published in csv format at https://www.gstatic.com/ct/compliance/endpoint_uptime.csv, and the minimum availability seen for each log are published at https://www.gstatic.com/ct/compliance/min_uptime.csv. The latter is in the same format of the currently published https://www.gstatic.com/ct/compliance/uptime.csv. Once we fully transition, we will stop publishing uptime.csv to avoid confusion and reflect this change in policy.


Initially, we are excluding the get-entry-and-proof endpoint from  uptime requirements. While this endpoint is required by RFC 6962, many log operators do not support it. We hope and expect to require full compliance once support is more widely available in open source implementations.


Currently, some logs have endpoints with availability values under 99%. We have reached out to affected log operators so that they can address those availability issues before new requirements come into effect. While we have not yet finalized a timeline for this policy change, our hope is to enact the change before the end of the year. We will notify ct-policy@ once we have a defined date.


Please let us know if there are any questions or concerns,

-Carlos, from the Chrome CT team


Reply all
Reply to author
Forward
0 new messages