Removing expired 2021 CT logs from Chrome and calling for 2024 logs

201 views

Skip to first unread message

Devon O'Brien

unread,

Feb 28, 2022, 6:37:52 PM2/28/22

to Certificate Transparency Policy

Hello ct-policy@,

Today, we’re announcing a number of CT log removals that are now past their expiry range. Starting in Chrome 100, these logs will be removed from the log list that’s included in the release binary. Current CT-enforcing versions of Chrome that can reach the Component Updater service for updated CT log lists may receive these removals sooner.

Additionally, we’d like to request that all log operators of the below CT logs stand up and submit 2024 logs for approval to the existing CT log Chromium bugs if they have not already done so.

The following CT logs have reached the end of their expiry range:

Google 'Argon2021' log (https://ct.googleapis.com/logs/argon2021/)
Google 'Xenon2021' log (https://ct.googleapis.com/logs/xenon2021/)
Cloudflare 'Nimbus2021' Log (https://ct.cloudflare.com/logs/nimbus2021/)
DigiCert Yeti2021 Log (https://yeti2021.ct.digicert.com/log/)
DigiCert Nessie2021 Log (https://nessie2021.ct.digicert.com/log/)
Let's Encrypt 'Oak2021' log (https://oak.ct.letsencrypt.org/2021/)
Trust Asia CT2021 (https://ct2021.trustasia.com/log2021/)
Trust Asia Log2021 (https://ct.trustasia.com/log2021/) - Retired 2020-12-01

These logs will transition to the Rejected state, which means they will be removed entirely from the log list shipped to Chrome. SCTs from these Rejected logs - past, present, or future - will no longer count towards a certificate’s CT compliance, regardless of how the SCTs are delivered.

What does this mean for site operators

These logs transitioning to Rejected should require no action on your part, since all certificates relying on SCTs issued by these logs should now be expired and/or no longer in use. This is true whether you are delivering SCTs via OCSP, TLS extension, or embedded in the certificate itself.

What does this mean for CAs

There should be no impact to CAs from Rejecting these logs. If a CA still has any of these logs configured for production certificate logging purposes, they should be removed and the CA should ensure that they are logging certificates to a policy-satisfying set of Qualified or Usable CT logs.

What does this mean for Log Operators

When these logs transition to Rejected, Chrome no longer requires that they continue operation. log operators for these logs should check with other CT-enforcing user agents to ensure that there are no issues with ceasing operation of these CT logs.

Log operators for CT logs not listed in the above set of Logs do not need to take any action.

Reply all

Reply to author

Forward

0 new messages