On Wed, Jun 07, 2023 at 06:57:44PM -0700, Songnian Chen wrote:
> Regarding Certificate Transparency logs, I have a few questions.
> 1. What is the difference between Argon and Xenon?
There is very little difference between them: they're both run by Google,
and open to submission of any TLS certificate issued from a
generally-trusted root. From the URLs of the 2024 logs, it can be surmised
that Argon is *probably* run on infrastructure in the US, while Xenon is
*probably* run on infrastructure in the EU, which may make a difference,
submission-latency wise, for CAs in those two areas.
> 2. If I want to obtain all newly issued certificates, do I only need to
> monitor one source or download logs from all sources and then deduplicate
> them?
You need to scrape certificates from *all* logs[1] and deduplicate them, not
just Argon and Xenon. There is no guarantee that a certificate will be
present in any particular log, nor is there any guarantee that a certificate
will *not* be present in all logs. Further, there is no guarantee that a
certificate won't be present in a single log multiple times (logs are free
to either present a previously-issued SCT for a duplicate submission, or
issue a new SCT and incorporate the certificate multiple times). Also,
there are often two "forms" of the same certificate in a given log; the
pre-certificate and the issued end-entity certificate, which means you've
got to de-dupe at that level, too.
Also, the Google logs are a *lot* slower to bulk-scrape than logs run by
other operators, which may be an issue if you want to get historical lists
of certificates.
- Matt
[1] Chrome CT policy requires SCTs to be from a diverse set of log
operators, and while I'd expect that most CAs *probably* submit to at
least one of the Google logs (for historical reasons), there's no
guarantee that a given certificate will be present in any
Google-operated log.