Removal of long-Retired and ReadOnly Logs

217 views

Skip to first unread message

Devon O'Brien

unread,

Apr 6, 2022, 1:01:30 AM4/6/22

to ct-p...@chromium.org

Hello ct-policy@,

Today, we’re announcing a large number of removals of CT logs that have been shut down by the log operator or are otherwise no longer in use. Starting in Chrome 101, these logs will be removed from the log list that’s included in the release binary. Current CT-enforcing versions of Chrome that can reach the Component Updater service for updated CT log lists will receive these removals sooner. We expect these removals to have no impact, since all certificates relying on SCTs from these logs are long since expired.

CT logs being removed:

Google 'Aviator' log (https://ct.googleapis.com/aviator/) - Readonly 2016-11-30
Symantec log (https://ct.ws.symantec.com/) - Retired 2019-02-16
Symantec 'Vega' log (https://vega.ws.symantec.com/) - Retired 2019-02-16
Symantec 'Sirius' log (https://sirius.ws.symantec.com/) - Retired 2019-02-16
Certly.IO log (https://log.certly.io/) - Retired 2016-04-15
Izenpe log (https://ct.izenpe.com/) - Retired 2016-05-30
WoSign log (https://ctlog.wosign.com/) - Retired 2016-02-12
Venafi log (https://ctlog.api.venafi.com/) - Retired 2017-02-28
CNNIC CT log (https://ctserver.cnnic.cn/) - Retired 2018-09-18
StartCom log (https://ct.startssl.com/) - Retired 2018-02-12

These logs will transition to the Rejected state, which means they will be removed entirely from the log list shipped to Chrome. SCTs from these Rejected logs - past, present, or future - will no longer count towards a certificate’s CT compliance, regardless of how the SCTs are delivered.

What does this mean for site operators

These logs transitioning to Rejected should require no action on your part, since all certificates relying on SCTs issued by these logs should now be expired and/or are no longer in use. This is true whether you are delivering SCTs via OCSP, TLS extension, or embedded in the certificate itself.

What does this mean for CAs

There should be no impact to CAs from Rejecting these logs. If a CA still has any of these logs configured for production certificate logging purposes, they should be removed and the CA should ensure that they are logging certificates to a policy-satisfying set of Usable CT logs.

What does this mean for Log Operators

When CT logs transition to Rejected, Chrome no longer requires that they continue operation. We recommend that log operators for these logs check with other CT-enforcing User Agents to ensure that there are no issues with ceasing operation of these CT logs.

Log Operators for CT logs not listed in the above set of Logs do not need to take any action.