Retiring Digicert Yeti 2025 log in Chrome
444 views
Skip to first unread message
Carlos Joan Rafael Ibarra Lopez
Jul 9, 2025, 5:23:23 PMJul 9
to Certificate Transparency Policy
As mentioned in https://groups.google.com/a/chromium.org/g/ct-policy/c/Ztdl5qYeZbY/m/bz8Tq7T0BgAJ, Yeti 2025 has encountered unrecoverable errors, so we will transition it to retired state.
Effective July 10 2025, the following Log will transition to Retired, with the last ‘Qualified’ SCT having a timestamp no later than Thursday, July 24, 2025 00:00:00 GMT, or 2025-07-24T00:00:00+0000 in ISO 8601 format:
Digicert Yeti 2025 (https://yeti2025.ct.digicert.com/log/)
After July 24 2025, SCTs from Yeti 2025 will no longer count towards the CT Compliance requirements stating that at least one SCT must come from a CT Log that was Qualified, Usable, or ReadOnly at time of check. As such, after this point, it is no longer appropriate to serve SCTs from this Log in the TLS handshake, in OCSP responses, or embedded in certificates issued on-or-after 2025-07-24T00:00:00+0000.
Embedded SCTs dated prior to 2025-07-24T00:00:00+0000 will still satisfy CT Compliance requirements that permit SCTs to come from CT Logs that are Qualified, Usable, ReadOnly, or Retired at time of check; however, at least one other SCT must come from a non-Retired CT Log in order for the certificate to successfully validate in Chrome.
What does this mean for site operators?
If you are delivering SCTs embedded in the certificate, this should require no action on your part. All previously-issued certificates containing SCTs from these logs that complied with the Chrome CT Policy will continue to do so.
If you are currently serving SCTs via stapled OCSP, then your CA must take appropriate action to update their OCSP pipeline to ensure they are embedding a policy-satisfying set of SCTs. Once done, you must refresh the OCSP response stapled to the connections. Alternatively, you may choose to provide a policy-satisfying set of SCTs via another mechanism outlined in the Chrome CT Policy.
If you are currently delivering SCTs via a TLS extension, SCTs issued by these logs will no longer contribute towards CT Compliance. As such, you will need to update the SCTs included in the handshake to comply with the Chrome CT Policy in order to satisfy the requirements for SCTs delivered via TLS.
What does this mean for CAs?
If you are embedding SCTs in your certificates, SCTs from these logs for newly-issued certificates will no longer meet CT Compliance requirements stating that at least one SCT must come from a CT Log that was Qualified, Usable, or ReadOnly at time of check. To ensure that newly-issued certificates will be CT-compliant, you should update your CA’s CT log configuration to remove these logs while also ensuring that you are still logging to a policy-satisfying set of CT logs after the removal.
While it is not required by policy, CAs with existing certificates embedding SCTs from these logs may wish to proactively reissue affected certificates to increase the resilience of these certificates to possible future log incidents.
Finally, if you are embedding SCTs from these logs in your OCSP responses, you must issue new OCSP responses that replace these SCTs with new ones from a set of CT logs that satisfies the Chrome’s CT Policy. Your customers must then begin to serve these new responses or provide a policy-satisfying set of SCTs via another mechanism before the effective date above.
What does this mean for Log Operators?
If you are operating a CT Log not listed in the above Retirement announcement, you do not need to take any action.
-Carlos, on behalf of the Chrome CT team
Effective July 10 2025, the following Log will transition to Retired, with the last ‘Qualified’ SCT having a timestamp no later than Thursday, July 24, 2025 00:00:00 GMT, or 2025-07-24T00:00:00+0000 in ISO 8601 format:
Digicert Yeti 2025 (https://yeti2025.ct.digicert.com/log/)
After July 24 2025, SCTs from Yeti 2025 will no longer count towards the CT Compliance requirements stating that at least one SCT must come from a CT Log that was Qualified, Usable, or ReadOnly at time of check. As such, after this point, it is no longer appropriate to serve SCTs from this Log in the TLS handshake, in OCSP responses, or embedded in certificates issued on-or-after 2025-07-24T00:00:00+0000.
Embedded SCTs dated prior to 2025-07-24T00:00:00+0000 will still satisfy CT Compliance requirements that permit SCTs to come from CT Logs that are Qualified, Usable, ReadOnly, or Retired at time of check; however, at least one other SCT must come from a non-Retired CT Log in order for the certificate to successfully validate in Chrome.
What does this mean for site operators?
If you are delivering SCTs embedded in the certificate, this should require no action on your part. All previously-issued certificates containing SCTs from these logs that complied with the Chrome CT Policy will continue to do so.
If you are currently serving SCTs via stapled OCSP, then your CA must take appropriate action to update their OCSP pipeline to ensure they are embedding a policy-satisfying set of SCTs. Once done, you must refresh the OCSP response stapled to the connections. Alternatively, you may choose to provide a policy-satisfying set of SCTs via another mechanism outlined in the Chrome CT Policy.
If you are currently delivering SCTs via a TLS extension, SCTs issued by these logs will no longer contribute towards CT Compliance. As such, you will need to update the SCTs included in the handshake to comply with the Chrome CT Policy in order to satisfy the requirements for SCTs delivered via TLS.
What does this mean for CAs?
If you are embedding SCTs in your certificates, SCTs from these logs for newly-issued certificates will no longer meet CT Compliance requirements stating that at least one SCT must come from a CT Log that was Qualified, Usable, or ReadOnly at time of check. To ensure that newly-issued certificates will be CT-compliant, you should update your CA’s CT log configuration to remove these logs while also ensuring that you are still logging to a policy-satisfying set of CT logs after the removal.
While it is not required by policy, CAs with existing certificates embedding SCTs from these logs may wish to proactively reissue affected certificates to increase the resilience of these certificates to possible future log incidents.
Finally, if you are embedding SCTs from these logs in your OCSP responses, you must issue new OCSP responses that replace these SCTs with new ones from a set of CT logs that satisfies the Chrome’s CT Policy. Your customers must then begin to serve these new responses or provide a policy-satisfying set of SCTs via another mechanism before the effective date above.
What does this mean for Log Operators?
If you are operating a CT Log not listed in the above Retirement announcement, you do not need to take any action.
-Carlos, on behalf of the Chrome CT team
Carlos Joan Rafael Ibarra Lopez
Jul 9, 2025, 6:09:11 PMJul 9
to Certificate Transparency Policy, Carlos Joan Rafael Ibarra Lopez
Looks like formatting got stripped from that email, here is a more readable version:
Reply all
Reply to author
Forward
0 new messages