Hello ct-policy@ community!
We will be updating our policies soon to support adding static-ct-api logs as trusted CT logs in Chrome. This email outlines our initial policy and log list schema changes to that end.
Policy changes
To accommodate static-ct-api logs, Chrome's current CT policy will be updated to clarify that at least one SCT must originate from a log Chrome recognized as both Usable and RFC6962 compliant at time of SCT issuance. Our hope and expectation is to remove this "at least one" limitation in a future policy update.
The current log policy will be updated to state that:
log operators may submit RFC6962-compliant or static-ct-api-compliant logs for inclusion in Chrome's log list, and should specify the log type during the application process,
we will only consider applications of static-ct-api logs with an MMD of 10 seconds or less, and
applications for static-ct-api log inclusion will only be accepted from existing log operators if those operators have already applied with an RFC6962-compatible log accepting the same set of certificates (i.e. same accepted roots and temporal window).
This last requirement is to encourage the ongoing health of the RFC6962-only log ecosystem pending greater adoption of the static-ct-log specification among CT monitors. We expect to remove this requirement coincident with the removal of the "at least one" policy described above.
We expect these changes to land shortly after static-ct-api reaches full v1.0 status. Once these changes land, log operators are welcome to apply for inclusion of their static-ct-api logs. However, log operators wishing to submit their static-ct-api-compliant logs should also know that a future log policy update will increase availability requirements on static-ct-api logs for endpoints served via the monitoring prefix. Log operators are encouraged to structure their log such that log contents can remain available in a variety of outage and maintenance conditions.
To accommodate tiled logs in our public log list, we will add a new required tiled_logs array to the existing operator object in our public log list schema. The tiled_logs schema will match that of the existing logs array in the same operator object, except that the url field will be omitted, and two new fields, a submission_url and a monitoring_url will be present. These URLs represent the submission and monitoring prefixes defined in the static-ct-api C2SP spec.
Since these changes are purely additive, we expect they will be mostly backwards compatible with existing log list consumers (and trivially adapted if not) and will not be updating the log list URL. We expect this schema change to occur later this week. Simultaneous with the schema update, we will update the published log list with empty tiled_logs arrays for all existing operators.
We have received questions regarding whether a static-ct-api log with an RFC6962 compatibility proxy (like Sunglasses) could be accepted as an RFC6962 log in Chrome. Chrome leaves the choice of implementation of logs entirely up to the log operator. However, a log using a given public/private key pair may only apply for inclusion in Chrome as either an RFC6962 or static-ct-api log, even if the log otherwise fully implements both specifications.
Our expectation is that static-ct-api logs providing an RFC6962 API are largely indistinguishable from other RFC6962 logs from the perspective of certificate submitters. However:
Static-ct-api-backed logs may provide the LeafIndex CtExtension. Well-behaved RFC6962 certificate submitters should be robust to encountering novel extensions.
The add-chain and add-pre-chain endpoints of static-ct-api-backed logs may have higher latency than typical RFC6962 logs. Though our policy does not currently specify request latency requirements, our monitoring infrastructure does measure it; we may investigate adding latency caps if we determine that significant latency delays are harming the ecosystem.
As always, questions are welcome!
Joe, on behalf of the Chrome CT Team
--
You received this message because you are subscribed to the Google Groups "Certificate Transparency Policy" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ct-policy+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/ct-policy/CAFZs0S4vKgQywCo7_O49%2BbbmU4QAM_Y89Ct8AEnP4-FvZHNSJg%40mail.gmail.com.
To unsubscribe from this group and stop receiving emails from it, send an email to ct-policy+unsubscribe@chromium.org.
--
You received this message because you are subscribed to the Google Groups "Certificate Transparency Policy" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ct-policy+unsubscribe@chromium.org.
--
You received this message because you are subscribed to the Google Groups "Certificate Transparency Policy" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ct-policy+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/ct-policy/CAFZs0S6rK2nU06dNUepg7OSSMFUSGbFLct%2Bd6t1%2BywaH3hXKQw%40mail.gmail.com.