Question Regarding CT Log List Validity in Apple’s CT Policy

Jin Tong

unread,

Mar 27, 2026, 4:33:00 AMMar 27

to Certificate Transparency Policy

Hi all,

I noticed that both Chrome [1] and Firefox [2] define a validity period for their ct_log_list within their Certificate Transparency (CT) policies. Specifically, they set this period to 70 days (10 weeks), after which CT enforcement is disabled if the list is not updated.

I was wondering whether Apple implements a similar mechanism. I have reviewed Apple’s CT policy [3, 4] but did not find any explicit description of a validity period for the CT log list.

Could you please clarify whether such a mechanism exists in Apple’s implementation?

[1]. https://googlechrome.github.io/CertificateTransparency/ct_policy.html

[2]. https://wiki.mozilla.org/SecurityEngineering/Certificate_Transparency#CT_Log_Policy

[3]. https://support.apple.com/en-us/103214

[4]. https://support.apple.com/en-us/103703

Best regards,

Jin Tong

Bailey Basile

unread,

Mar 27, 2026, 2:09:36 PMMar 27

to Certificate Transparency Policy, Jin Tong

Yes, Apple devices use a similar mechanism, but since they don't actually use the visible CT log list endpoints directly, the information is not communicated that way. Our CT enforcement is disabled after 60 days of inability of the device to verify that it has the latest version.

See this published source code:

https://github.com/search?q=repo%3Aapple-oss-distributions/Security%20SecOTAPKIAssetStalenessLessThanSeconds&type=code

Bailey

Jin Tong

unread,

Mar 28, 2026, 3:39:03 AM (14 days ago) Mar 28

to Certificate Transparency Policy, Bailey Basile, Jin Tong

Hi Bailey,

Thank you very much for your reply.

Best regards,

Jin Tong

Reply all

Reply to author

Forward