Removing old CT logs and a call for 2025 logs

625 views

Skip to first unread message

Joe DeBlasio

unread,

Jan 31, 2023, 7:31:05 PM1/31/23

to Certificate Transparency Policy

Hi ct-policy@,

Today, we're announcing the removal of a number of CT logs. In all cases, all certificates logged to these logs and otherwise trusted by Chrome have already expired.

Additionally, log operators are now invited to stand up and submit 2025 shards for approval if they have not already done so. Returning log operators may use the existing CT log Chromium bugs for new annual shards.

The following logs will transition to the Rejected state as of February 1, 2023 UTC:

Cloudflare 'Nimbus2022' Log (https://ct.cloudflare.com/logs/nimbus2022)
DigiCert Yeti2022 Log (https://yeti2022.ct.digicert.com/log)
DigiCert Yeti2022-2 Log (https://yeti2022-2.ct.digicert.com/log)
DigiCert Nessie2022 Log (https://nessie2022.ct.digicert.com/log)
DigiCert CT2 Log (https://ct2.digicert-ct.com/log)
Google Argon2022 Log (https://ct.googleapis.com/logs/argon2022)
Google Xenon2022 Log (https://ct.googleapis.com/logs/xenon2022)
Let's Encrypt Oak2022 Log (https://oak.ct.letsencrypt.org/2022)
Trust Asia Log2022 Log (https://ct.trustasia.com/log2022)

These logs will be removed entirely from the log list shipped to Chrome. SCTs from these logs - past, present, or future - will no longer count towards a certificate’s CT compliance, regardless of how the SCTs are delivered.

CT-enforcing versions of Chrome will receive these removals starting February 1, 2023 UTC, and an updated log list will be included in all subsequent release binaries.

What does this mean for site operators

These changes should require no action on your part, since all certificates relying on SCTs issued by these logs should now be expired and no longer in use. This is true whether you are delivering SCTs via OCSP, TLS extension, or embedded in the certificate itself.

What does this mean for CAs

There should be no impact to CAs due to these changes. If a CA still has any of these logs configured for production certificate logging purposes, they should be removed and the CA should ensure that they are logging certificates to a policy-satisfying set of Qualified or Usable CT logs.

What does this mean for Log Operators

Once these logs transition to Rejected, Chrome no longer requires that they continue operation. Log operators for these logs should check with other CT-enforcing User Agents to ensure that there are no issues with ceasing operation of these CT logs.

Log Operators for CT Logs not listed in the above set of Logs do not need to take any action.

Reply all

Reply to author

Forward

0 new messages