Root Inclusion Questions

[Nathanna from Squarecert]

Hi there,

We're wondering how we can get in contact with Google and/or their CT team about inclusion of Squarecert root certificates.

Our infrastructure currently can generate and revoke certificates however we want to add features for CT logging to Google's PILOT preferably, however we're open to suggestions or allowances by/of other Google CT logs.

Side Notes: Squarecert is an up and coming certificate authority. We issue paid consumer, professional and enterprise/PKI certificates. Each certificate goes under heavy review and syntax allocation by an agent. Each SSL follows practices presented by CAB forum, DigiCert guidelines, and Squarecert's internal policies.

For Google representatives: Please respond to this email or contact me via my professional email. Thank you! (We have a few root certificates for inclusion.)

~ Nathanna

[Nathanna]

I'm bumping this, because no one has answered or contributed... Is there somewhere where I can find contact details? An email or phone number perhaps?

[Peter Bowen]

Hi Nathanna,

I don't work for Google, so I cannot authoritatively answer your
question. However, I would suggest starting the Mozilla inclusion
process, as described in the Mozila Root Store Policy
(https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
) or the Microsoft CA application process
(https://docs.microsoft.com/en-us/security/trusted-root/new-ca-application
). All roots in the trusted Google logs are part of at least one of
these trust stores. Given updating the list of trusted roots in a CT
log is a quick process, I would assume your request would be quickly
processed once you are well on your way to being included in a common
trust store.

Thanks,
Peter

> --
> You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/a3740779-6fb2-49e4-8c6b-46261f4d077cn%40googlegroups.com.

[Nathanna]

I suppose thats something, I'll look into that and hopefully get SQC approved in Mozilla and some smaller trust stores, and use that as credit for the bigger ones i guess. :/ 

Thanks for the reply.

~ N

[Nathanna]

I suppose thats something, I'll look into that and hopefully get SQC approved in Mozilla and some smaller trust stores, and use that as credit for the bigger ones i guess. :/ 

Thanks for the reply.

~ N

On Sunday, November 15, 2020 at 9:12:13 PM UTC-5 pzb...@gmail.com wrote:

[Kat Joyce]

Hi Nathanna,

First, apologies for the delayed response.

Second, with regards to your initial query about logging to the Google Pilot Log, there are a few things you should be aware of:

1)  As Peter mentioned, in order to have your roots added to the Google production Logs, they'd need to be accepted into one of the major root programs (Mozilla / Apple / Microsoft), as we keep our production Log root sets up to date with those root programs, and we don't add other roots to them.

2)  Pilot is now a special purpose Log, which only accepts certificates that chain to a limited set of roots, and is no longer kept up to date with the major root stores.  Therefore, once you have got your roots accepted into one of the major root stores, we'd instead advise you log your certificates to either of the temporally-sharded Google Argon or Xenon CT Logs.

3)  If you'd like to test CT support while you're going through the process of getting your roots added to the major root stores, we have test Logs that we could add test roots to.  The instructions for doing that can be found here.

4)  It is worth noting that CT is only required for certificates that will be used to authenticate public internet sites.  If your use case is different to this, it may be that you don't need to worry about CT.

A quick noted about the Argon and Xenon Logs - they are each actually a set of Logs that have been 'temporally-sharded' - what this means is that each Log has a time range associated with it, and it will only accept certificates that have a NotAfter date within that time range.  The details of the Argon and Xenon Log sets, and their respective expiry ranges are as follows:

https://ct.googleapis.com/logs/argon2020  [Jan 01 2020 00:00:00Z, Jan 01 2021 00:00:00Z)
https://ct.googleapis.com/logs/argon2021  [Jan 01 2021 00:00:00Z, Jan 01 2022 00:00:00Z)

https://ct.googleapis.com/logs/argon2022  [Jan 01 2022 00:00:00Z, Jan 01 2023 00:00:00Z)

https://ct.googleapis.com/logs/argon2023  [Jan 01 2023 00:00:00Z, Jan 01 2024 00:00:00Z)

https://ct.googleapis.com/logs/xenon2020  [Jan 01 2020 00:00:00Z, Jan 01 2021 00:00:00Z)
https://ct.googleapis.com/logs/xenon2021  [Jan 01 2021 00:00:00Z, Jan 01 2022 00:00:00Z)

https://ct.googleapis.com/logs/xenon2022  [Jan 01 2022 00:00:00Z, Jan 01 2023 00:00:00Z)

https://ct.googleapis.com/logs/xenon2023  [Jan 01 2023 00:00:00Z, Jan 01 2024 00:00:00Z)

What this means is that for each certificate you issue, you'll have to submit it to the Log that will accept it based on its NotAfter date.

I hope that helps.  Please don't hesitate to reach out again should you have any further questions.

Kind regards,

Kat and the CT team at Google

--

[Nathanna]

Hi Kat,

Thanks, and no worries.

SQC is in the process of contacting Mozilla for inclusion at the moment, so hopefully that will be a place to start in the newer logs, I did have one question all though.Are the Argon/Xenon logs trusted by Google Chrome as CT logs or is there a way to enable that for internal testing?

Thanks,

~ Nathanna

(from Squarecert)

[Kat Joyce]

Hi Nathanna,

The Google Argon and Xenon Logs are qualified and usable in Google Chrome, yes.

Kind regards,

Kat

To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/6d6a1d05-0405-437f-b76a-c30cc57b7268n%40googlegroups.com.