Mozilla CT Known Logs - how to determine which 'Admissable' logs are actually Usable?
113 views
Skip to first unread message
Rob Stradling
Dec 10, 2025, 8:51:54 AM (9 days ago) Dec 10
to Certificate Transparency Policy
I'm working on adding support to ctlint for checking embedded SCT lists against Mozilla's CT Policy and log list. Mozilla's list of CT logs doesn't differentiate between Qualified and Usable; instead, the "Admissable" state covers both.
Q: How should a CA (or linter) determine which Admissable logs are actually Usable in Firefox? ("Usable" in this context means that all in-use installations of Firefox can be expected to either recognize the log as Admissible or to have disabled CT enforcement)
Based on the 10 week expiration time of the log list and the >10 week ESR release cycle, I think the answer should be that: an Admissable log is Usable if it has been Admissable for >=70 days; or Qualified otherwise. However, it's not currently possible to determine for how long a log has been Admissible just by looking at the latest published log list, because the log list generator script appears to overwrite Admissible timestamps by blindly copying Qualified and Usable timestamps from Chrome's log list. Recent example: Sycamore2027h1 was previously Admissable with timestamp 1758078000000 (microseconds since Unix epoch), but that Admissible timestamp was later updated to 1764212400000.
Q: How should a CA (or linter) determine which Admissable logs are actually Usable in Firefox? ("Usable" in this context means that all in-use installations of Firefox can be expected to either recognize the log as Admissible or to have disabled CT enforcement)
Based on the 10 week expiration time of the log list and the >10 week ESR release cycle, I think the answer should be that: an Admissable log is Usable if it has been Admissable for >=70 days; or Qualified otherwise. However, it's not currently possible to determine for how long a log has been Admissible just by looking at the latest published log list, because the log list generator script appears to overwrite Admissible timestamps by blindly copying Qualified and Usable timestamps from Chrome's log list. Recent example: Sycamore2027h1 was previously Admissable with timestamp 1758078000000 (microseconds since Unix epoch), but that Admissible timestamp was later updated to 1764212400000.
I suppose the "missing" timestamps could be found by iterating through every commit to the log list, to discover when each Admissible log was originally added; then use that version of the list's expiration date as the log's Usable timestamp, and set the log's Qualified timestamp to 70 days earlier than that.
Is this the expected approach?
Dana Keeler
Dec 10, 2025, 1:29:18 PM (9 days ago) Dec 10
to Rob Stradling, Certificate Transparency Policy
Hi Rob,
The timestamp in the log list source file is only relevant for retired logs. I filed https://bugzilla.mozilla.org/show_bug.cgi?id=2005288 to make that more clear.
I don't think you have to go through every commit in that file to determine what you want. I would probably note which logs are in each release (including dot releases, which is particularly relevant for ESR), as well as the expiration date for each release. If a log is new in release n, it should be usable at the time of expiration of the list in release n - 1.
Hope this helps,
Dana
--
You received this message because you are subscribed to the Google Groups "Certificate Transparency Policy" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ct-policy+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/ct-policy/8d18ab22-c62a-41b3-8c2d-6d648296cdd0n%40chromium.org.
Rob Stradling
Dec 10, 2025, 1:47:23 PM (9 days ago) Dec 10
to Dana Keeler, Certificate Transparency Policy
Thanks Dana. I'm a little confused though.
> The timestamp in the log list source file is only relevant for retired logs.
> ...it should be usable at the time of expiration of the list in release n - 1.
Presumably these two statements refer to different timestamps (because one "is only relevant for retired logs" and the other can be used to determine whether or not an Admissable log is "usable").
Where should I look for the "time of expiration of the list in release n - 1" ?
From: Dana Keeler <dke...@mozilla.com>
Sent: 10 December 2025 18:29
To: Rob Stradling <r...@sectigo.com>
Cc: Certificate Transparency Policy <ct-p...@chromium.org>
Subject: Re: [ct-policy] Mozilla CT Known Logs - how to determine which 'Admissable' logs are actually Usable?
Sent: 10 December 2025 18:29
To: Rob Stradling <r...@sectigo.com>
Cc: Certificate Transparency Policy <ct-p...@chromium.org>
Subject: Re: [ct-policy] Mozilla CT Known Logs - how to determine which 'Admissable' logs are actually Usable?
This Message Is From an External Sender
This message came from outside your organization.
Dana Keeler
Dec 10, 2025, 2:01:58 PM (9 days ago) Dec 10
to Rob Stradling, Certificate Transparency Policy
Oh! Yeah, sorry - so each
CTLogInfo has a timestamp field, which is what I was referring to as only relevant for retired logs. The entire list has a kCTExpirationTime, which is the expiration time of that version of the list (looks like it's at line 17).So for example, if you're looking at new logs in Firefox 146 (https://hg-edge.mozilla.org/mozilla-unified/file/FIREFOX_146_0_RELEASE/security/ct/CTKnownLogs.h), the expiration time you'd be looking for is the
kCTExpirationTime from 145.0.2 (https://hg-edge.mozilla.org/mozilla-unified/file/FIREFOX_145_0_2_RELEASE/security/ct/CTKnownLogs.h#l17).Reply all
Reply to author
Forward
0 new messages