MMD violations in mammoth2025h2
143 views
Skip to first unread message
Joe DeBlasio
Aug 25, 2025, 1:20:54 PM (13 days ago) Aug 25
to #CTOps, Certificate Transparency Policy
Hi Sectigo CTOps,
(CCing ct-policy@ for awareness.)
We've seen a very large number of SCTs not included within Mammoth2025h2's MMD this morning. I've included one cert below with an example embedded SCT that hasn't been included as of sending this email.
We'd appreciate it if you could temporarily suspend submissions to mammoth2025h2 ASAP to limit the potential impact, and then investigate and report back.
Thank you,
Joe on behalf of the Chrome CT Team
----
-----BEGIN CERTIFICATE-----
MIIDljCCAzugAwIBAgIQLeGxeRS6QPYT0cFvOTEIzjAKBggqhkjOPQQDAjA7MQsw
CQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNlcnZpY2VzMQwwCgYD
VQQDEwNXRTEwHhcNMjUwODI0MTAxMTA5WhcNMjUxMTIyMTExMDU5WjAWMRQwEgYD
VQQDEwtwZXJnb2x1eC5kZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJtKo76J
cSrF4VReHk4jLUfQIbgLTaiLRc1vSQUreL6gFyoMJ8ctDlK5T01J0CJBX0TsdlHl
dAuwcllfdKyPivujggJEMIICQDAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYI
KwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUxqiRG5FHh143InrkzAVN
VY5xkXcwHwYDVR0jBBgwFoAUkHeSNWfE/6jMqeZ72YB5e8yT+TgwXgYIKwYBBQUH
AQEEUjBQMCcGCCsGAQUFBzABhhtodHRwOi8vby5wa2kuZ29vZy9zL3dlMS9MZUUw
JQYIKwYBBQUHMAKGGWh0dHA6Ly9pLnBraS5nb29nL3dlMS5jcnQwFgYDVR0RBA8w
DYILcGVyZ29sdXguZGUwEwYDVR0gBAwwCjAIBgZngQwBAgEwNgYDVR0fBC8wLTAr
oCmgJ4YlaHR0cDovL2MucGtpLmdvb2cvd2UxL2JkMlY2QUpZVVhnLmNybDCCAQQG
CisGAQQB1nkCBAIEgfUEgfIA8AB1ABLxTjS9U3JMhAYZw48/ehP457Vih4icbTAF
hOvlhiY6AAABmNvGZzsAAAQDAEYwRAIgYgjjvbsrsYKt3pwXybpaHdgDAmcL39wt
EDDfdTUSKQsCIBVl2dwt9BpxOI0tXoYMxkK6eC8rkZfNU71EmaXBTBaSAHcArxga
KNaMo+CpikycZ6sJ+Lu8IrquvLE4o6Gd0/m2Aw0AAAGY28ZsIwAABAMASDBGAiEA
92gGCKeRs+BonodjKsPxhOiyPNA8ghhdSIpXnUXkRKgCIQCIE8owMFF0zheS2do0
EcVftyPWVHsQEB1Ux/fGBBhJwjAKBggqhkjOPQQDAgNJADBGAiEA/9DVLFikAUez
jdszyxXz9Izkx9WAv2uJ1LCJGy+1uTYCIQDS+NQ4cU/pSJN4YELItc81HqVHv0gR
CZ/640Fw7zWJxQ==
-----END CERTIFICATE-----
MIIDljCCAzugAwIBAgIQLeGxeRS6QPYT0cFvOTEIzjAKBggqhkjOPQQDAjA7MQsw
CQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNlcnZpY2VzMQwwCgYD
VQQDEwNXRTEwHhcNMjUwODI0MTAxMTA5WhcNMjUxMTIyMTExMDU5WjAWMRQwEgYD
VQQDEwtwZXJnb2x1eC5kZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJtKo76J
cSrF4VReHk4jLUfQIbgLTaiLRc1vSQUreL6gFyoMJ8ctDlK5T01J0CJBX0TsdlHl
dAuwcllfdKyPivujggJEMIICQDAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYI
KwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUxqiRG5FHh143InrkzAVN
VY5xkXcwHwYDVR0jBBgwFoAUkHeSNWfE/6jMqeZ72YB5e8yT+TgwXgYIKwYBBQUH
AQEEUjBQMCcGCCsGAQUFBzABhhtodHRwOi8vby5wa2kuZ29vZy9zL3dlMS9MZUUw
JQYIKwYBBQUHMAKGGWh0dHA6Ly9pLnBraS5nb29nL3dlMS5jcnQwFgYDVR0RBA8w
DYILcGVyZ29sdXguZGUwEwYDVR0gBAwwCjAIBgZngQwBAgEwNgYDVR0fBC8wLTAr
oCmgJ4YlaHR0cDovL2MucGtpLmdvb2cvd2UxL2JkMlY2QUpZVVhnLmNybDCCAQQG
CisGAQQB1nkCBAIEgfUEgfIA8AB1ABLxTjS9U3JMhAYZw48/ehP457Vih4icbTAF
hOvlhiY6AAABmNvGZzsAAAQDAEYwRAIgYgjjvbsrsYKt3pwXybpaHdgDAmcL39wt
EDDfdTUSKQsCIBVl2dwt9BpxOI0tXoYMxkK6eC8rkZfNU71EmaXBTBaSAHcArxga
KNaMo+CpikycZ6sJ+Lu8IrquvLE4o6Gd0/m2Aw0AAAGY28ZsIwAABAMASDBGAiEA
92gGCKeRs+BonodjKsPxhOiyPNA8ghhdSIpXnUXkRKgCIQCIE8owMFF0zheS2do0
EcVftyPWVHsQEB1Ux/fGBBhJwjAKBggqhkjOPQQDAgNJADBGAiEA/9DVLFikAUez
jdszyxXz9Izkx9WAv2uJ1LCJGy+1uTYCIQDS+NQ4cU/pSJN4YELItc81HqVHv0gR
CZ/640Fw7zWJxQ==
-----END CERTIFICATE-----
Rob Stradling
Aug 26, 2025, 2:07:55 PM (12 days ago) Aug 26
to Joe DeBlasio, #CTOps, Certificate Transparency Policy
Hi Joe. We temporarily suspended POST requests to Mammoth2025h2 at 10:42 UTC today. We will re-enable once the sequencing backlog has gone.
There's not really anything new that we can investigate here. The poor sequencing performance of our MariaDB-based logs is well known and has bitten us several times before.
Per
https://groups.google.com/a/chromium.org/g/ct-policy/c/-N1YTYNeVl4/m/aqcgMUoJGwAJ, we intend to permanently suspend POST requests to all of the Sabre and Mammoth shards at approximately 2025-09-18 15:00 UTC. We are looking forward to this day!
From: Joe DeBlasio <jdeb...@chromium.org>
Sent: 25 August 2025 18:20
To: #CTOps <ct...@sectigo.com>; Certificate Transparency Policy <ct-p...@chromium.org>
Subject: MMD violations in mammoth2025h2
Sent: 25 August 2025 18:20
To: #CTOps <ct...@sectigo.com>; Certificate Transparency Policy <ct-p...@chromium.org>
Subject: MMD violations in mammoth2025h2
This Message Is From an External Sender
This message came from outside your organization.
Joe DeBlasio
Aug 27, 2025, 2:03:53 PM (11 days ago) Aug 27
to Rob Stradling, #CTOps, Certificate Transparency Policy
Thank you, Rob.
I appreciate that our (Chrome's) thoughts have been shifting a bit here as log behavior has continued to evolve.
I think it would be reasonable to never re-enable submissions to mammoth2025h2, instead transitioning it to readonly now. Other mammoth and sabre shards could move to readonly at the previously-discussed date. The prior plan (everything waiting until September) was an attempt to maximize capacity in the ecosystem, but if mammoth2025h2 can't safely offer that capacity, there's no benefit in trying to postpone the transition for that shard. That also does not detract from the value of the other shards waiting until Tiger* are fully Usable.
Even this plan presupposes that the log is able to fully clear its backlog. I notice that despite having more than a full day of no submissions, mammoth2025h2 still has unincluded certificates -- I've attached one certificate with an SCT from 6:47 UTC yesterday that I can't validate as of this writing. If the log hasn't cleared the backlog in the next day or two, we'll instead need to move to Retire the log.
Joe
Rob Stradling
Aug 28, 2025, 7:24:47 AM (11 days ago) Aug 28
to Certificate Transparency Policy, Joe DeBlasio, #CTOps, Certificate Transparency Policy, Rob Stradling
Hi Joe. Mammoth2025h2's submission backlog cleared at approximately 23:00 UTC yesterday.
We won't re-enable submissions to this shard. Per your suggestion, please transition it to Readonly now.
Reply all
Reply to author
Forward
0 new messages