Cert is only in Submariner, yet it's accepted by Chrome

Skip to first unread message

Chris Hartwig

Mar 30, 2021, 5:12:38 PM3/30/21
to certificate-transparency

I've found a strange situation with the certificate for www.michelin.fr which I don't understand:

  • crt.sh shows that recent pre-certs were logged in various public logs, including the pre-cert for the currently used certificate

  • the certificate currently in use by the website is only registered with Submariner, a log which is supposed to mean that the Root is not trusted (if I understand correctly)

  • yet the certificate is accepted by Chrome and others, and it's a *very* public website
  • the CA (GeoTrust) is a very large one so I don't understand why their certs would end ip in Submariner...

Can someone with deeper understanding of CT help me? In this strange situation, should the certificate be trusted? or not? Why?

Here's the crt.sh for the current cert : https://crt.sh/?id=4208557599
Any idea?

(I'm working on a CT related project and I was using michelin.fr as a test: I'm not related to this company at all)

Rob Stradling

Mar 30, 2021, 5:43:59 PM3/30/21
to certificate-transparency
Hi Chris.

If a precertificate is logged, then the corresponding certificate does not need to be logged.  (If Chrome did require the certificate to be logged too, then the precertificate would no longer serve any purpose).  Thanks to the logging of the precertificate, the certificate contains embedded SCTs (see https://crt.sh/?id=4208557599), which Chrome and other CT-capable browsers use to check compliance with their CT policies.

> the CA (GeoTrust) is a very large one so I don't understand why their certs would end ip in Submariner

Anyone can submit any certificate or precertificate to any log, as long as they provide a chain to an Accepted Root Certificate of that log.

Perhaps someone from the Google CT Team could comment on Submariner's current root acceptance policy?

From: certificate-...@googlegroups.com <certificate-...@googlegroups.com> on behalf of Chris Hartwig <chrisde...@gmail.com>
Sent: 30 March 2021 21:42
To: certificate-transparency <certificate-...@googlegroups.com>
Subject: Cert is only in Submariner, yet it's accepted by Chrome

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/a9f1ec90-8978-4dc7-b08f-bdcc2933f019n%40googlegroups.com.
Reply all
Reply to author
0 new messages