Removing old CT logs

401 views
Skip to first unread message

Nick Harper

unread,
Feb 1, 2024, 8:19:58 PMFeb 1
to Certificate Transparency Policy

Hi ct-policy@,


The following CT log shards have been expired or shut down by the log operator and will be removed from Chrome:



These logs will transition to the Rejected state, which means they will be removed entirely from the log list shipped to Chrome. SCTs from these Rejected logs - past, present, or future - will no longer count towards a certificate’s CT compliance, regardless of how the SCTs are delivered. 


CT-enforcing versions of Chrome will receive this update in the next few days, and the change affects the log list hard-coded into the Chrome Binary starting in 123.


What does this mean for site operators


These logs transitioning to Rejected should require no action by site operators, since all certificates relying on SCTs issued by these logs should now be expired and/or no longer in use. This is true whether sites are delivering SCTs via OCSP, TLS extension, or embedded in the certificate itself.


What does this mean for CAs


There should be no impact to CAs from Rejecting these logs. If a CA still has any of these logs configured for production certificate logging purposes, they should be removed and the CA should ensure that they are logging certificates to a policy-satisfying set of Usable CT logs.


What does this mean for Log Operators


Once CT logs transition to Rejected, Chrome no longer requires that they continue operation. Log operators for these logs should check with other CT-enforcing user agents to ensure that there are no issues with ceasing operation of these CT logs (if they are still operational).


Log operators for CT logs not listed above do not need to take any action.

Reply all
Reply to author
Forward
0 new messages