Removing expired 2020 CT Log shards from Chrome

107 views
Skip to first unread message

Devon O'Brien

unread,
Apr 8, 2021, 12:42:43 AM4/8/21
to Certificate Transparency Policy

In Chrome 91, the following expired CT Log shards will be removed:

  • Google 'Argon2020' log
  • Google 'Xenon2020' log
  • Cloudflare 'Nimbus2020' Log
  • DigiCert Yeti2020 Log
  • DigiCert Nessie2020 Log
  • Let's Encrypt 'Oak2020' log
  • Trust Asia Log2020

These Logs will transition to the Rejected state, which results in these CT Logs being removed from the list of logs shipped in Chromium. SCTs from these Rejected Logs - past, present, or future - will no longer count towards CT Compliance for certificates, regardless of how they are delivered to Chrome. More information on CT Log states in Chrome can be found in the CT Log states explainer on our Chrome CT Policy page.

This change is part of the expected behavior for temporally-sharded CT Logs which have ceased issuing SCTs due to reaching the end of their expiry range. Out of an abundance of caution, we have scanned these Logs and have determined that there are no still-valid TLS certificates that are relying on SCTs from these Logs.

What does this mean for site operators?
These Logs transitioning to Rejected should require no action on your part, since all certificates relying on SCTs issued by these Logs should now be expired. This is true whether you are delivering SCTs via OCSP, TLS extension, or embedded in the certificate itself.

What does this mean for CAs?
There should be no impact to CAs from Rejecting these Logs, as they should have been removed from the logging configuration at the end of the Logs’ expiry range. If your CA still has any of these Logs configured for production certificate logging purposes, they should be removed immediately and the CA should ensure that they are logging certificates to, and obtaining SCTs from, a policy-satisfying set of CT Logs.

What does this mean for Log Operators?
Once these Logs transition to the Rejected state, Chrome no longer requires that they continue operation. For any of these CT Logs still in operation, Log Operators for these Logs should consider checking with other CT-enforcing User Agents to ensure that there are no issues with ceasing operation before doing so.

Log Operators for CT Logs not listed in the above set of Logs do not need to take any action.

Reply all
Reply to author
Forward
0 new messages