Apple Log List Updates

1,141 views
Skip to first unread message

Bailey Basile

unread,
Mar 1, 2019, 2:25:32 PM3/1/19
to Certificate Transparency Policy
All,

As discussed in the CT Policy Days we hosted in November 2018, the community has worked to improve the definitions of these states and the transitions between them. Our program uses those definitions and transitions for our log list.

We have published an update to our log list from version 32 to version 42 today and are announcing the following transitions.

Usable To Retired
In light of the following logs being turned down by their operator, they have been transitions from Qualified to Retired  effective 15 February, 2019, with the last ‘Qualified’ SCT having a timestamp no later than 1550275199, or 2019-02-15T23:59:59+00:00 in ISO 8601 format:
As documented by Chrome's excellent post, embedded SCTs from these logs will be treated as "once qualified" by relying Apple platforms, and sever operators using certificates containing them should require no changes. SCTs received via TLS or Stapled OCSP responses will not be qualified; therefore, CA and server operators delivering SCTs from the newly retired logs via TLS or Stapled OCSP will need update their configurations to use SCTs from a usable log.

Pending To Qualified
The following logs have been transitioned from Pending to Qualified:
Note that per the definitions, these newly qualified logs are not yet usable. CA and Server operators should not begin using Qualified logs for production systems until they have transitioned to Usable. We will make a log list update and an announcement at that time.


Apple's current log list is always available at https://valid.apple.com/ct/log_list/current_log_list.json.
Our current log list schema is always available at https://valid.apple.com/ct/log_list/current_log_list_schema.json.


In the future we will post announcements regarding updates to our log list on this thread.

Bailey Basile

unread,
Mar 19, 2019, 6:36:50 PM3/19/19
to Certificate Transparency Policy
All,

Apple has published an update to our log list from version 42 to version 47 today, and we are announcing the following transitions in that update.

Qualified to Usable
The following logs have been transitioned from Qualified to Usable:
All Apple devices that enforce CT for TLS server certificates now have a version of the CT log list that contains these logs, so CA and Server operators may begin using these logs for production systems that require compatibility with Apple platforms. (Note that production systems also requiring compatibility with Chrome should wait for Chrome to indicate that these logs are also Usable in Chrome.)

Usable to Read-Only
In light of the following log no longer accepting new entries, it has transitioned from Usable to Read-only effective 28 February 2018 (when the log stopped accepting new entries).
SCTs issued from this log prior to 28 February 2018 will continue to be counted as qualified by relying Apple platforms. CA and Server operators should be preparing for the planned retirement of this log on 1 January 2020.



Apple's current log list is always available at https://valid.apple.com/ct/log_list/current_log_list.json.
Our current log list schema is always available at https://valid.apple.com/ct/log_list/current_log_list_schema.json.

Bailey Basile

unread,
Mar 28, 2019, 2:30:06 PM3/28/19
to Certificate Transparency Policy
All,

Apple has published an update to our log list from version 47 to version 48 today. There are no log transitions in that update.

Version 48 fixes issues with strings in the log list that were non-compliant with strict validation of the formats specified in the schema. In addition, we have improved our processes to enforce a stricter form of validation, including validation of the formats of strings, before changes are merged to the log list.

None of the non-compliant fields were used by Apple's client software.

We apologize for the inconvenience this issue has caused users of our log list, and we thank the Google CT team for reporting this issue to us.


Apple's current log list is always available at https://valid.apple.com/ct/log_list/current_log_list.json.
Our current log list schema is always available at https://valid.apple.com/ct/log_list/current_log_list_schema.json.

Bailey Basile

unread,
Jun 20, 2019, 2:35:03 AM6/20/19
to Certificate Transparency Policy
All,

Apple has published an update to our log list from version 48 to version 60 today, and we are announcing the following log transitions in that update.

Qualified to Usable
The following logs have been transitioned from Qualified to Usable:
All Apple devices that enforce CT for TLS server certificates now have a version of the CT log list that contains these logs, so CA and Server operators may begin using these logs for production systems that require compatibility with Apple platforms. (Note that production systems also requiring compatibility with Chrome should wait for Chrome to indicate that these logs are also Usable in Chrome.)

New Pending Logs
The following logs have been added as pending inclusion:
Note that per the definitions, these new pending logs are not yet usable. CA and Server operators should not begin using Pending logs for production systems.


Apple's current log list is always available at https://valid.apple.com/ct/log_list/current_log_list.json.
Our current log list schema is always available at https://valid.apple.com/ct/log_list/current_log_list_schema.json.

Bailey Basile

unread,
Jul 11, 2019, 5:05:44 PM7/11/19
to Certificate Transparency Policy
All,

Apple has published an update to our log list from version 60 to 61 today. There are no log transitions in that update.

Version 61 corrects the email address for the Google log operations team.

We thank the Google CT team for reporting this issue to us.


Apple's current log list is always available at https://valid.apple.com/ct/log_list/current_log_list.json.
Our current log list schema is always available at https://valid.apple.com/ct/log_list/current_log_list_schema.json.

Bailey Basile

unread,
Oct 2, 2019, 12:45:03 AM10/2/19
to Certificate Transparency Policy
All,

Apple has published an update to our log list from version 61 to version 71 today, and we are announcing the following log transitions in that update.

Pending To Qualified
The following logs have been transitioned from Pending to Qualified:
    These newly qualified logs are not yet usable. CA and Server operators should not begin using Qualified logs for production systems until they have transitioned to Usable. We will make a log list update and an announcement at that time.


    Apple's current log list is always available at https://valid.apple.com/ct/log_list/current_log_list.json.
    Our current log list schema is always available at https://valid.apple.com/ct/log_list/current_log_list_schema.json.
    Details on Apple's log policy are available at https://support.apple.com/en-us/HT205280.
    Apple's log program requirements are available at https://support.apple.com/en-us/HT209255.

    Clint

    unread,
    Dec 3, 2019, 1:23:49 PM12/3/19
    to Certificate Transparency Policy
    Hello all!

    Apple has published an update to our log list, from version 71 to version 79 today, and we are announcing the following log transitions in that update.

    Qualified To Usable
    The following logs have been transitioned from Qualified to Usable:
        •    DigiCert's Yeti 2023 (https://yeti2023.ct.digicert.com/log/)

        •    DigiCert's Nessie 2023 (https://nessie2023.ct.digicert.com/log/)
        •    Google's Argon 2023 (https://ct.googleapis.com/logs/argon2023/)
        •    Google's Xenon 2023 (https://ct.googleapis.com/logs/xenon2023/)
        •    Let's Encrypt's Oak 2019 (https://oak.ct.letsencrypt.org/2019/)
        •    Let's Encrypt's Oak 2020 (https://oak.ct.letsencrypt.org/2020/)
        •    Let's Encrypt's Oak 2021 (https://oak.ct.letsencrypt.org/2021/)
        •    Let's Encrypt's Oak 2022 (https://oak.ct.letsencrypt.org/2022/)

    All Apple devices that enforce CT for TLS server certificates have updated to version 79 of the log list, so CA and Server operators may begin using these logs for production systems that require compatibility with Apple platforms. (Note that production systems also requiring compatibility with Chrome should wait for Chrome to indicate that these logs are also Usable in Chrome.)


    Apple's current log list is always available at https://valid.apple.com/ct/log_list/current_log_list.json.
    Our current log list schema is always available at https://valid.apple.com/ct/log_list/current_log_list_schema.json.
    Details on Apple's log policy are available at https://support.apple.com/en-us/HT205280.
    Apple's log program requirements are available at https://support.apple.com/en-us/HT209255.


    Thank you!
    Clint

    Clint

    unread,
    Feb 4, 2020, 6:26:23 PM2/4/20
    to Certificate Transparency Policy
    Hello all!

    Apple has published an update to our log list, from version 79 to version 80, and we are announcing the following log transition in that update.

    Usable To Read-only
    The following log has been transitioned from Usable to Read-only:
        •    Cloudflare’s Nimbus 2019 (https://ct.cloudflare.com/logs/nimbus2019)


    Apple's current log list is always available at https://valid.apple.com/ct/log_list/current_log_list.json.
    Our current log list schema is always available at https://valid.apple.com/ct/log_list/current_log_list_schema.json.
    Details on Apple's log policy are available at https://support.apple.com/en-us/HT205280.
    Apple's log program requirements are available at https://support.apple.com/en-us/HT209255.


    Cheers!
    Clint

    Clint

    unread,
    Feb 28, 2020, 4:54:50 PM2/28/20
    to Certificate Transparency Policy
    Hi all,

    Apple has published an update to our log list, from version 80 to 81, and we are announcing the following additions in this update.

    New Pending Log
    The following log has been added as Pending inclusion:
    Note that per the definitions found at https://support.apple.com/en-us/HT209255, this new pending log is not yet usable. CA and Server operators should not begin using a Pending log for production systems.

    Apple's current log list is always available at https://valid.apple.com/ct/log_list/current_log_list.json.
    Our current log list schema is always available at https://valid.apple.com/ct/log_list/current_log_list_schema.json.
    Details on Apple's log policy are available at https://support.apple.com/en-us/HT205280.
    Apple's log program requirements are available at https://support.apple.com/en-us/HT209255.


    Thanks!
    -Clint

    Clint

    unread,
    May 4, 2020, 4:49:55 PM5/4/20
    to Certificate Transparency Policy
    Hi all,

    Apple has published an update to our log list, from version 81 to 86, and we are announcing the following state transitions in this update.

    Read-only to Retired
    The following log has been transitioned from readonly to retired:
    Usable to Retired
    The following logs have been transitioned from usable to retired:
    Usable to Read-only
    The following logs have been transitioned from usable to readonly:

    Apple's current log list is always available at https://valid.apple.com/ct/log_list/current_log_list.json.
    Our current log list schema is always available at https://valid.apple.com/ct/log_list/current_log_list_schema.json.
    Details on Apple's log policy are available at https://support.apple.com/en-us/HT205280.
    Apple's log program requirements, including definitions for CT log states, are available at https://support.apple.com/en-us/HT209255.

    Prior versions of our log list may be found under https://valid.apple.com/ct/log_list/log_list_versions/log_list_v<log list version>.json (e.g. https://valid.apple.com/ct/log_list/log_list_versions/log_list_v81.json).

    Thanks!
    -Clint

    Clint

    unread,
    May 6, 2020, 9:33:42 PM5/6/20
    to Certificate Transparency Policy
    Hi all,

    Apple has published an update to our log list, from version 86 to 87, and we are announcing the following state transition in this update.

    Usable to Retired
    The following log has been transitioned from usable to retired:
    Due to DigiCert’s recently announced possible compromise of the DigiCert Log Server 2’s signing key[1], we are retiring this CT Log in version 87 of Apple’s CT Log List, enforcing a retirement timestamp of 2020-05-04T00:00:40Z. SCTs generated prior to this date will be considered “once-approved”.

    Note that on Apple platforms, for SCTs presented via TLS extension or OCSP stapling, Apple’s CT Policy requires that all SCTs be from currently approved CT logs; once-approved SCTs do not qualify.
    For SCTs embedded in a TLS certificate, a minimum of one SCT must be from a currently approved CT log, while additional SCTs may be from a once-approved CT log.

    As with all log list updates, the changes published to https://valid.apple.com/ct/log_list/current_log_list.json will be enforced on Apple platforms a few weeks after the update is made.

    Apple's current log list is available at https://valid.apple.com/ct/log_list/current_log_list.json.
    Apple’s current log list schema is available at https://valid.apple.com/ct/log_list/current_log_list_schema.json.

    Details on Apple's log policy are available at https://support.apple.com/en-us/HT205280.
    Apple's log program requirements, including definitions for CT log states, are available at https://support.apple.com/en-us/HT209255.

    Clint

    unread,
    Jun 1, 2020, 4:16:37 PM6/1/20
    to Certificate Transparency Policy
    Hello All,

    Apple has published an update to our log list, from version 87 to 89, and we are announcing the following state transitions in this update.

    Read-only to Retired
    The following logs have been transitioned from readonly to retired:

    Apple's current log list is available at https://valid.apple.com/ct/log_list/current_log_list.json.
    Our current log list schema is available at https://valid.apple.com/ct/log_list/current_log_list_schema.json.

    Details on Apple's log policy are available at https://support.apple.com/en-us/HT205280.
    Apple's log program requirements, including definitions for CT log states, are available at https://support.apple.com/en-us/HT209255.

    Prior versions of our log list may be found under https://valid.apple.com/ct/log_list/log_list_versions/log_list_v<log list version>.json (e.g. https://valid.apple.com/ct/log_list/log_list_versions/log_list_v87.json).

    Thanks!
    -Clint

    Clint

    unread,
    Jan 7, 2021, 11:08:07 AM1/7/21
    to Certificate Transparency Policy, Clint
    Hello all,

    Apple has published two updates to our log list, from version 89 to 97, and we are announcing the following state transitions. 

    New Operator
    TrustAsia has been added as a CT Log Operator

    Rejected Logs
    The following logs have been rejected:
    New Pending Logs
    The following logs have been added as pending:
    Pending to Usable
    The following log has been transitioned from pending to usable:
    Asset Version
    The Asset version of the CT Log List has also been updated. Version 9 added the Let’s Encrypt 2023 log shard as qualified. Version 10 included a second, currently identical, CT Log List for non-TLS use cases discussed further at https://groups.google.com/g/mozilla.dev.security.policy/c/bs2XT6knT08/m/61teZrvxAQAJ. Versions 11 and 12 were changes unrelated to CT.


    Apple's current log list is available at https://valid.apple.com/ct/log_list/current_log_list.json.
    Our current log list schema is available at https://valid.apple.com/ct/log_list/current_log_list_schema.json.

    Details on Apple's log policy are available at https://support.apple.com/en-us/HT205280.
    Apple's log program requirements, including definitions for CT log states, are available at https://support.apple.com/en-us/HT209255.
    Prior versions of our log list may be found under https://valid.apple.com/ct/log_list/log_list_versions/log_list_v<log list version>.json (e.g. https://valid.apple.com/ct/log_list/log_list_versions/log_list_v97.json).

    Thanks!
    -Clint

    Jerry Hou

    unread,
    May 16, 2021, 10:12:41 PM5/16/21
    to Certificate Transparency Policy, Clint
    Hi Clint,

    According to Apple CT policy requirements, TrustAsia Log 2022 and TrustAsia Log 2023 have exceeded 90 days, should the log status become qualified?

    Thanks!
    Jerry

    Clint

    unread,
    Aug 25, 2021, 1:04:07 PM8/25/21
    to Certificate Transparency Policy
    Hello All,

    Apple has published a few updates to our log list, from version 97 to 104, and we are announcing the following state transitions in this update. 

    Retired Log
    The following log has been retired as of 2021-07-21T00:00:00Z:
    New Qualified Log
    The following log has been added as qualified:
    Newly Usable Logs
    The following logs have been transitioned to usable:


    Apple's current log list is available at https://valid.apple.com/ct/log_list/current_log_list.json.
    Our current log list schema is available at https://valid.apple.com/ct/log_list/current_log_list_schema.json.

    Details on Apple's log policy are available at https://support.apple.com/en-us/HT205280.
    Apple's log program requirements, including definitions for CT log states, are available at https://support.apple.com/en-us/HT209255.
    Prior versions of our log list may be found under https://valid.apple.com/ct/log_list/log_list_versions/log_list_v<log list version>.json (e.g. https://valid.apple.com/ct/log_list/log_list_versions/log_list_v104.json).

    Thanks!
    -Clint

    Jeffrey Hughes

    unread,
    Sep 5, 2021, 11:57:05 PM9/5/21
    to Clint, Certificate Transparency Policy


    J~hughe

    --
    You received this message because you are subscribed to the Google Groups "Certificate Transparency Policy" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to ct-policy+...@chromium.org.
    To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/ct-policy/0340f905-7e4c-434b-81a9-fd0910db3c8fn%40chromium.org.

    Clint

    unread,
    Oct 13, 2021, 6:15:49 PM10/13/21
    to Certificate Transparency Policy
    Hello All,

    Apple has published a few updates to our log list, from version 104 to 105, and we are announcing the following changes in this update. 

    Updated Temporal Interval Values
    The following updates have been made to Temporal Interval ranges on the following Log Shards. These changes were made to ensure the log list and its component values are consistent within the ecosystem.
    • "Let’s Encrypt Oak2023"
      • The 'end_exclusive' value has been updated from "2024-01-01T00:00:00Z" to "2024-01-07T00:00:00Z"
    • "DigiCert 'Yeti 2018' log"
      • The 'start_inclusive' value has been updated from "2018-01-01T00:00:00Z" to "2017-12-12T00:00:00Z"
    • "DigiCert 'Nessie 2018' log"
      • The 'start_inclusive' value has been updated from "2018-01-01T00:00:00Z" to "2017-12-12T00:00:00Z"
    • "GDCA 'CT Log 1' log"
      • A 'start_inclusive' value of "2018-01-01T00:00:00Z" has been added
      • A 'end_exclusive' value of "2023-01-01T00:00:00Z" has been added
    • "GDCA 'CT Log 2' log"
      • A 'start_inclusive' value of "2018-01-01T00:00:00Z" has been added
      • A 'end_exclusive' value of "2023-01-01T00:00:00Z" has been added

    Apple's current log list is available at https://valid.apple.com/ct/log_list/current_log_list.json.
    Our current log list schema is available at https://valid.apple.com/ct/log_list/current_log_list_schema.json.

    Details on Apple's log policy are available at https://support.apple.com/en-us/HT205280.
    Apple's log program requirements, including definitions for CT log states, are available at https://support.apple.com/en-us/HT209255.
    Prior versions of our log list may be found under https://valid.apple.com/ct/log_list/log_list_versions/log_list_v<log list version>.json (e.g. https://valid.apple.com/ct/log_list/log_list_versions/log_list_v104.json).

    Thanks!
    -Clint

    Lin Nguyen

    unread,
    Dec 4, 2021, 7:39:13 AM12/4/21
    to Clint, Certificate Transparency Policy


    Vào 5:15 SA, Th 5, 14 thg 10, 2021 'Clint' via Certificate Transparency Policy <ct-p...@chromium.org> đã viết:
    Reply all
    Reply to author
    Forward
    Message has been deleted
    Message has been deleted
    0 new messages