Retiring DigiCert Yeti 2022-2/2023 Logs in Chrome

511 views
Skip to first unread message

Joe DeBlasio

unread,
Sep 30, 2022, 5:32:57 PM9/30/22
to Certificate Transparency Policy

Hi ct-policy@,


Following DigiCert's report on ct-policy@ that some Yeti shards have experienced unrecoverable database failures, effective October 14, 2022, the following Logs will transition to Retired, with the last ‘Qualified’ SCT having a timestamp no later than 2022-09-29T00:00:00Z:


After October 13, 2022, SCTs from these logs will not count towards the CT Compliance requirements stating that at least one SCT must come from a CT Log that was Qualified, Usable, or ReadOnly at time of check. As such, CAs and site operators should not serve SCTs from this Log in the TLS handshake, in OCSP responses, or embedded in certificates issued on-or-after 2022-09-29T00:00:00Z as these SCTs will not contribute towards Chrome's CT compliance requirements.


Embedded SCTs dated prior to 2022-09-29T00:00:00Z will still satisfy CT Compliance requirements that permit SCTs to come from CT Logs that are Qualified, Usable, ReadOnly, or Retired at time of check; however, at least one other SCT must come from a non-Retired CT Log in order for the certificate to successfully validate in Chrome.


What does this mean for site operators?

Most site operators use SCTs embedded in their certificate. These site operators do not need to take any action. All previously-issued certificates containing compliant SCTs from these logs will continue to function.


If you are serving SCTs via stapled OCSP, then your CA must update their OCSP pipeline to ensure they are embedding a policy-satisfying set of SCTs. Once done, you must refresh the OCSP response stapled to the connections. Alternatively, you may choose to provide SCTs via another mechanism outlined in the Chrome CT Policy.


If you are delivering SCTs via a TLS extension, SCTs issued by these logs will no longer contribute towards CT Compliance. You will need to update the set of SCTs included in the handshake to comply with the Chrome CT Policy.


What does this mean for CAs?

Effective immediately, CAs should stop relying on SCTs provided from these logs, regardless of how SCTs are provided to the browser.


Certificates embedding SCTs from these logs issued after today's retirement date will not meet CT Compliance requirements and will not function properly in Chrome. To ensure that newly-issued certificates will be CT-compliant, you must update your CA’s CT log configuration to remove these logs while also ensuring that you are still logging to a policy-satisfying set of CT logs after the removal.


While it is not required by policy, CAs with existing certificates embedding SCTs from these logs may wish to proactively reissue affected certificates to increase the resilience of these certificates to possible future log incidents.


Finally, if you are embedding SCTs from these logs in your OCSP responses, you must issue new OCSP responses that replace these SCTs with new ones from a set of CT logs that satisfies the Chrome’s CT Policy. Your customers must then begin to serve these new responses or provide a policy-satisfying set of SCTs via another mechanism before the effective date above.


What does this mean for Log Operators?

If you are operating a CT Log not listed above, you do not need to take any action.


Best,

Joe


Reply all
Reply to author
Forward
0 new messages