Devon O'Brien
unread,Jan 30, 2024, 8:00:23 PMJan 30Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Certificate Transparency Policy, bgam...@gmail.com, dko...@cloudflare.com, Certificate Transparency Policy
Hi Bret,
Thanks for spotting this and for bringing this to the community's attention. You're right that this behavior is something that an attentive CT Monitor (or Auditor, as the roles are often blurred in practice) could have detected, but I wouldn't go so far as to say it's a failure on the part of any CT Monitor/Auditor because their primary purpose is verifying the behaviors outlined in
RFC 6962 Section 5.3 (Monitoring) and
RFC 6962 Section 5.4 (Auditing).
So long as they are verifying that STHs are well-formed, signed, consistent, <= 24 hours old as defined by CT policy, and entries for known SCTs are incorporated into logs within the MMD, Monitors/Auditors are demonstrating logs are performing the requisite checks to ensure the health of the CT log ecosystem. In terms of stale STHs, if a CT Log began serving STHs that were more than 24 hours old, this is where we would expect monitors to detect and alert, as this would interfere with the timely detection of newly-issued certificates.
I agree that the observed behavior isn't ideal (and it appears that Cloudflare rapidly addressed it!), but is there a specific CT workflow you're trying to perform that's stymied by CT Logs caching/serving valid but slightly stale STHs inconsistently? This is something that could be addressable by policy, but we should be very careful about adding additional requirements on log operators beyond what's necessary for the health of the ecosystem.
-Devon