Important changes to the v2 CT log list

[Philippe Boneff]

Hi all,

Today we're announcing some important changes to our deprecation plan of the v2 log list URL.

Usage of the v2 log list URL in third-party Android applications has not decreased at the rate we had hoped, with most of these apps failing to work correctly when the log list is missing. To avoid this breakage, the v2 log list will remain available beyond 2023-06-07, but with reduced security guarantees. We continue to ask you to not use the v2 log list, and to migrate away from it to allow for a future turndown.

Going forward, while logs will be added to this list (once they reach the USABLE state in Chrome), logs will never be removed, even if they are Retired in Chrome. This change ensures that applications using the v2 URL are able to validate SCTs (albeit with fewer security guarantees) until those applications have received updates. Simultaneously, this change ensures that Chrome has the freedom necessary to retire logs without risking breakage to these applications. This list is still offered without any SLA.

Over time, the v2 and v3 log list URLs will diverge, and the v2 URL will not reflect Chrome's perspective on the current state of the CT ecosystem. Certificate issuers, monitors, and other actors that need to track Chrome's view of usable logs must still migrate to the v3 log list.

We believe that enforcing CT effectively and safely requires a coordinated maintenance of client enforcing code, a log list, and their respective update mechanism. To the best of our knowledge, there isn’t such an end-to-end CT solution for Android today. We’re committed to making CT enforcement easier on Android in the future, and hope to share more about this soon. Stay tuned on the certificate-transparency mailing list.

Cheers,

Google CT team, in collaboration with the Chrome team