Add New Root to CT Logs
192 views
Skip to first unread message
Bruce Morton
Jul 24, 2020, 3:35:52 PM7/24/20
to Certificate Transparency Policy
Is there an easy way to add a new root to the CT logs which are managed by the many parties? Or do we have to reach out to each log owner individually?
Thanks, Bruce.
Ryan Sleevi
Jul 24, 2020, 3:47:37 PM7/24/20
to Bruce Morton, Certificate Transparency Policy
Yes, you should reach out to the Log Operators directly.
A number of Log Operators are automatically adding roots accepted by major browser programs, as stated in their Inclusion Requests. If you're dealing with a new root intended for browser use, but which has not yet been accepted by any browser program, reaching out directly to the Log Operators is the recommended approach. Note that Log Operators may decline to add such roots, at least until one or more browser root programs accept that root, as a means of mitigating spam and/or abuse from the CA.
On Fri, Jul 24, 2020 at 3:35 PM Bruce Morton <bruce....@entrust.com> wrote:
Is there an easy way to add a new root to the CT logs which are managed by the many parties? Or do we have to reach out to each log owner individually?Thanks, Bruce.
--
You received this message because you are subscribed to the Google Groups "Certificate Transparency Policy" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ct-policy+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/ct-policy/cefba06b-41f0-40c2-acfb-f2f0aeaa0266o%40chromium.org.
Bruce Morton
Jul 24, 2020, 4:47:07 PM7/24/20
to Certificate Transparency Policy, bruce....@entrust.com, rsl...@chromium.org
Thanks, it would be great to review the Inclusion Requests. Is there a source to find those requests?
Ryan Sleevi
Jul 24, 2020, 5:05:52 PM7/24/20
to Bruce Morton, Certificate Transparency Policy, Ryan Sleevi
419255I just filed https://github.com/chromium/ct-policy/issues/28 to make this easier for the logs that are Qualified in Google Chrome.
Currently, the "best" way right now (for Chrome) is to view https://goo.gl/chrome/ct-policy . Under the "Qualified In" column, it will link to the commit that added the log. The commit will have a "BUG=" which you can load at https://crbug.com/[bug number] - e.g. https://crbug.com/419255 . The CT in Chrome policy requires the Log state their policies, so hopefully that provides some clarity.
This obviously could benefit from some improvement, so the bug I just filed should help make it easier. In the absence of that, you can of course reach out to the individual Log Operators and request they add your certificate, assuming it's eventually intended to be used for TLS in browsers.
--
You received this message because you are subscribed to the Google Groups "Certificate Transparency Policy" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ct-policy+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/ct-policy/98aeabd8-9b72-4c28-836a-e410f477e535o%40chromium.org.
Rob Stradling
Jul 24, 2020, 5:21:33 PM7/24/20
to Bruce Morton, rsl...@chromium.org, Certificate Transparency Policy
Hi Bruce. See also https://crt.sh/monitored-logs?recognizedBy=Chromium.
It's obviously not a canonical source, but it should be consistent. Click the "Usable" links to open the logs' Inclusion Requests.
From: Ryan Sleevi <rsl...@chromium.org>
Sent: 24 July 2020 22:05
To: Bruce Morton <bruce....@entrust.com>
Cc: Certificate Transparency Policy <ct-p...@chromium.org>; Ryan Sleevi <rsl...@chromium.org>
Subject: Re: [ct-policy] Add New Root to CT Logs
Sent: 24 July 2020 22:05
To: Bruce Morton <bruce....@entrust.com>
Cc: Certificate Transparency Policy <ct-p...@chromium.org>; Ryan Sleevi <rsl...@chromium.org>
Subject: Re: [ct-policy] Add New Root to CT Logs
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/ct-policy/CACvaWvYmLSf6wK_UM7rFqKN3Aff_h%3Dzgn5StCZci6fq84PMnCg%40mail.gmail.com.
Deyan Bektchiev
Jul 26, 2020, 5:59:02 PM7/26/20
to Certificate Transparency Policy, Rob Stradling, Certificate Transparency Policy, Bruce Morton, Ryan Sleevi
Another way would be to simply use the API and pull all accepted roots to find out the ones that already have the roots added and only reach out to the ones that don't have the root and you'd like to have it. You could even try and submit a certificate to the ones that already have the root just to make sure everything is working correctly.
Bruce Morton
Jul 28, 2020, 3:58:09 PM7/28/20
to Certificate Transparency Policy, bruce....@entrust.com, rsl...@chromium.org
Thanks all for replying and Rob, this is an great link https://crt.sh/monitored-logs?recognizedBy=Chromium.
Bruce.
On Friday, July 24, 2020 at 5:21:33 PM UTC-4, Rob Stradling wrote:
Hi Bruce. See also https://crt.sh/monitored-logs?recognizedBy=Chromium. It's obviously not a canonical source, but it should be consistent. Click the "Usable" links to open the logs' Inclusion Requests.
To: Bruce Morton <bruce...@entrust.com>
Cc: Certificate Transparency Policy <ct-p...@chromium.org>; Ryan Sleevi <rsl...@chromium.org>
Subject: Re: [ct-policy] Add New Root to CT Logs
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
419255I just filed https://github.com/chromium/ct-policy/issues/28 to make this easier for the logs that are Qualified in Google Chrome.
Currently, the "best" way right now (for Chrome) is to view https://goo.gl/chrome/ct-policy . Under the "Qualified In" column, it will link to the commit that added the log. The commit will have a "BUG=" which you can load at https://crbug.com/[bug number] - e.g. https://crbug.com/419255 . The CT in Chrome policy requires the Log state their policies, so hopefully that provides some clarity.
This obviously could benefit from some improvement, so the bug I just filed should help make it easier. In the absence of that, you can of course reach out to the individual Log Operators and request they add your certificate, assuming it's eventually intended to be used for TLS in browsers.
Bruce Morton
Jul 29, 2020, 11:29:14 AM7/29/20
to Certificate Transparency Policy, bruce....@entrust.com, rsl...@chromium.org
This site is also very good, https://sslmate.com/labs/ct_ecosystem/ecosystem.html.
Also, it appears that the root in question has already been added to Google, Let's Encrypt, Cloudflare and Sectigo CT logs without request. Thanks to the CT log operators.
Rob Stradling
Jul 30, 2020, 5:42:43 AM7/30/20
to Deyan Bektchiev, Certificate Transparency Policy, Bruce Morton, Ryan Sleevi
Ooh, that reminds me...
crt.sh regularly polls each log's get-roots API, and each CA certificate page shows the "Active Logs for which this certificate is an Accepted Root Certificate".
See https://crt.sh/?id=713609039, for example.
From: ct-p...@chromium.org <ct-p...@chromium.org> on behalf of Deyan Bektchiev <dej...@gmail.com>
Sent: 26 July 2020 22:59
To: Certificate Transparency Policy <ct-p...@chromium.org>
Cc: Rob Stradling <r...@sectigo.com>; Certificate Transparency Policy <ct-p...@chromium.org>; Bruce Morton <bruce....@entrust.com>; Ryan Sleevi <rsl...@chromium.org>
Sent: 26 July 2020 22:59
To: Certificate Transparency Policy <ct-p...@chromium.org>
Cc: Rob Stradling <r...@sectigo.com>; Certificate Transparency Policy <ct-p...@chromium.org>; Bruce Morton <bruce....@entrust.com>; Ryan Sleevi <rsl...@chromium.org>
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/ct-policy/38cd46c5-c01a-4b73-9175-717868429464n%40chromium.org.
Reply all
Reply to author
Forward
0 new messages