Hello all,
In preparation for CT Days 2020 next week, I wanted to provide a preview of some of the changes Apple is currently planning to make to its CT Policy. We look forward to discussing further!
1. Require log operator diversity in SCTs
There is an inherent risk to allowing all SCTs to originate from a single Log Operator. Adjusting the policy to require including SCTs from a minimally diverse set of Log Operators will partially address the risk.
This change would affect certificates issued on or after April 1, 2021 only.
2. Require an additional SCT for >6 month cert lifetimes
As we move to an ecosystem where the maximum certificate lifetime is a little over a year, continuing to have additional SCTs for certs on the longer end of that spectrum will help ensure the certs most at risk within the current TLS landscape also have slightly higher levels of protection against log disruption.
This change would affect certificates issued on or after April 1, 2021 only.
3. Allow CT Log operators to reject non-TLS certificates
Certificate transparency is largely currently focused on the WebPKI and TLS certificates. In order to ensure log operators can preserve their services for that core use-case, log operators should be afforded the flexibility of determining whether their logs accept non-TLS certificates. The Apple Root Program should be notified at least one month prior to such a change going into affect.
4. Use more precise units in representing the policy’s technical enforcement
In order to ensure participants in the CT ecosystem reach the same conclusions when calculating the expected number of SCTs for a given certificate, the policy should be updated to be more precise by using days instead of months and providing a strict definition of “day”.
This change would affect certificates issued on or after April 1, 2021 only.
Please see an example draft CT Policy which incorporates these changes below:
/--BEGIN PROPOSED POLICY--/
Policy Requirements
Apple's policy requires at least two Signed Certificate Timestamps (SCT) issued from a CT log - once-approved* or currently approved at the time of check - and either:
At least two SCTs from currently approved CT logs with one SCT presented via TLS extension or OCSP Stapling; or
At least one embedded SCT from a currently approved log and at least the number of SCTs from once or currently approved logs, based on validity period as detailed in the table below.
For certificates with a notBefore greater than April 1, 2021, the number of embedded SCTs based on certificate lifetime:
Notes:
To be considered "once-approved", the timestamp in the SCT must have been issued from a CT log that was in the approved CT log list at the time of the SCT issuance.
A certificate's validity period (or lifetime) is defined in line with RFC 5280, Section 4.1.2.5, as "the period of time from notBefore through notAfter, inclusive."
Validity period is measured with a day being equal to 86,400 seconds. Any time greater than this indicates an additional day of validity.
Log operators MAY reject leaf certificates which don’t contain the serverAuth EKU.
/--END PROPOSED POLICY--/
Thanks!
-Clint
--
You received this message because you are subscribed to the Google Groups "Certificate Transparency Policy" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ct-policy+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/ct-policy/88339e3a-95d6-4776-9a50-becdfec9ebd1o%40chromium.org.
To unsubscribe from this group and stop receiving emails from it, send an email to ct-policy+unsubscribe@chromium.org.
--
You received this message because you are subscribed to the Google Groups "Certificate Transparency Policy" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ct-policy+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/ct-policy/88339e3a-95d6-4776-9a50-becdfec9ebd1o%40chromium.org.