In iOS 11.0, watchOS 4.0, tvOS 11.0, and macOS 10.13, Apple introduced a new requirement for Extended Validation (EV) certificates to be Certificate Transparency (CT) qualified. If an otherwise valid EV certificate did not have Signed Certificate Timestamps (SCTs) from a qualified CT log, that certificate could pass a trust evaluation but would not have an EV indicator in the returned trust evaluation information. A number of critical Apple services on devices running these software versions require the EV indicator for the TLS server certificate to successfully connect to those services.The qualified CT log public keys were built into the system image of all devices and could be updated only by a Software Update. Beginning in iOS 11.3, watchOS 4.3, tvOS 11.3, and macOS 10.13.4, the set of qualified CT logs were made updatable out-of-band of a Software Update.Users still running the software versions prior to this change — users who have chosen not to update — have a static log list with no mechanism to disable the CT checks for EV certificates. All of these users have software update alerts (e.g. badged Settings apps) advising them to update to newer releases for security and other improvements — releases which are capable of updating the CT log list for the EV checks.All of the remaining operational logs qualified on iOS 11.0, watchOS 4.0, tvOS 11.0, and macOS 10.13 had been planned to reject new entries later this year. Those logs and corresponding proposed shutdown dates are:
- Google's Pilot Log (ct.googleapis.com/pilot/) — 1 May 2019
- Google’s Rocketeer Log (ct.googleapis.com/rocketeer/) —1 June 2019
- Google’s Skydiver Log (ct.googleapis.com/skydiver/) —1 July 2019
- Google’s Icarus Log (ct.googleapis.com/icarus/) —1 August 2019
- DigiCert Log Server (ct1.digicert-ct.com/log/) — 6 May 2019
--
You received this message because you are subscribed to the Google Groups "Certificate Transparency Policy" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ct-policy+...@chromium.org.
To post to this group, send email to ct-p...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/ct-policy/89718af8-08b9-42c6-a7fb-347892729286%40chromium.org.
Representing a CA using the Google CT-logs, I was surprised when the topic of shutting down Google CT-logs came up in this thread.
I got some additional information from Devon O'Brian (thank you Devon!) and understands that a shutdown notification for these logs has not been posted to this list. This has surely been communicated somewhere, but I have missed it - and I assume this might be the same for other CAs.
I am concerned about how CAs using CT-logs should be made aware of such planned shutdowns of logs. For some other CT-logs being shut down in the past, we have got a shutdown notification directly from the CT-log operator, but not in this case.
Is there some agreed on method for how CT-log operators announces that they plan to shut down their CT-logs?
Regards
Mads
--
You received this message because you are subscribed to the Google Groups "Certificate Transparency Policy" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ct-policy+...@chromium.org.
To post to this group, send email to ct-p...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/ct-policy/0311425f-7a9a-407a-bd43-606d824bae47%40chromium.org.
To unsubscribe from this group and stop receiving emails from it, send an email to ct-p...@chromium.org.
--
You received this message because you are subscribed to the Google Groups "Certificate Transparency Policy" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ct-policy+...@chromium.org.
To post to this group, send email to ct-p...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/ct-policy/f8d5e80c-1597-4958-b575-a1b72ae4857e%40chromium.org.
To unsubscribe from this group and stop receiving emails from it, send an email to ct-policy+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/ct-policy/a0830de7-ef04-4ff1-b014-d20627ca3a88%40chromium.org.
To unsubscribe from this group and stop receiving emails from it, send an email to ct-p...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/ct-policy/20200128161938.dd8fdfe0670dd512b1b52248%40andrewayer.name.
> ct-p...@chromium.org. To view this discussion on the
> web visit
> https://groups.google.com/a/chromium.org/d/msgid/ct-policy/3305bf06-1915-488e-bf94-52ae23cac1bd%40chromium.org.
--
You received this message because you are subscribed to the Google Groups "Certificate Transparency Policy" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ct-p...@chromium.org.