In Progress
Status Update
No update yet.
Comments
rs...@chromium.org
[Empty comment from Monorail migration]
[Monorail components: -Internals>Network>SSL]
[Monorail components: -Internals>Network>SSL]
[Deleted User] <[Deleted User]>
al...@google.com
ping :)
as...@chromium.org
Hello and thanks for the ping!
In an effort to converge towards the 3 CT Logs per Log Operator limit discussed on ct-policy, could you post your plans to migrate/retire some of the existing Logs and how that fits with the plans to add Xenon?
We will be updating CT Policy soon with a reference to the 3 Log limit, but I didn't want that to further hold up the process.
Thanks!
In an effort to converge towards the 3 CT Logs per Log Operator limit discussed on ct-policy, could you post your plans to migrate/retire some of the existing Logs and how that fits with the plans to add Xenon?
We will be updating CT Policy soon with a reference to the 3 Log limit, but I didn't want that to further hold up the process.
Thanks!
pp...@google.com
[Description Changed]
ha...@google.com
To address the concerns about Google (as a log operator) running too many logs, and to accelerate our migration to temporal logs, our proposals for retirement of the non-temporal Google logs are detailed below.
We propose making these logs read-only during 2019:
*https://ct.googleapis.com/pilot - 2019-May-01
*https://ct.googleapis.com/rocketeer - 2019-Jun-01
*https://ct.googleapis.com/skydiver - 2019-Jul-01
*https://ct.googleapis.com/icarus - 2019-Aug-01
The dates are chosen to accommodate the roughly 31-week period from compliance monitoring start to ubiquity in Chrome user installs - a period that lands during April 2019. We suggest a rolling 1-month interval for the read-only switch-overs in order to give third parties ample time to react.
At this time we have no plans to change:
*https://ct.googleapis.com/daedalus
*https://ct.googleapis.com/submariner
as those logs are not qualified by Chrome.
This does mean that Certificate Authorities who do not yet submit certificates to temporal logs will need to start doing so before end April 2019.
Please let us know your thoughts. Does that move close enough to 3 CT Logs per Log Operator that compliance monitoring of the Xenon temporal log set might be able to start?
Paul
(for the Google CT Log Team).
We propose making these logs read-only during 2019:
*
*
*
*
The dates are chosen to accommodate the roughly 31-week period from compliance monitoring start to ubiquity in Chrome user installs - a period that lands during April 2019. We suggest a rolling 1-month interval for the read-only switch-overs in order to give third parties ample time to react.
At this time we have no plans to change:
*
*
as those logs are not qualified by Chrome.
This does mean that Certificate Authorities who do not yet submit certificates to temporal logs will need to start doing so before end April 2019.
Please let us know your thoughts. Does that move close enough to 3 CT Logs per Log Operator that compliance monitoring of the Xenon temporal log set might be able to start?
Paul
(for the Google CT Log Team).
ka...@google.com
Thank you for your request, we have started monitoring your Log server.
Should no issues be detected, the initial compliance monitoring phase
will be complete on Jan 3rd 2018 and we will update this bug
shortly after that date to confirm.
Should no issues be detected, the initial compliance monitoring phase
will be complete on Jan 3rd 2018 and we will update this bug
shortly after that date to confirm.
as...@chromium.org
Thanks for describing the plans to converge towards a reduced set of CT Logs operated by Google.
Application looks good and assigning to the CT Team to take action based on the Compliance Monitoring that started on October 5.
Application looks good and assigning to the CT Team to take action based on the Compliance Monitoring that started on October 5.
ka...@google.com
These logs have now passed the initial 90 day compliance period.
ro...@google.com
Will the Xenon logs be added to the log list in time for M72, as the Digicert Nessie logs have been?
ro...@google.com
The following root certificates should be accepted some time next week. This brings us up-to-date with the latest roots trusted by Apple, Microsoft and Mozilla.
emSign ECC Root CA - C3 (https://crt.sh/?sha256=bc4d809b15189d78db3e1d8cf4f9726a795da1643ca5f1358e1ddb0edc0d7eb3 )
emSign ECC Root CA - G3 (https://crt.sh/?sha256=86a1ecba089c4a8d3bbe2734c612ba341d813e043cf9e8a862cd5c57a36bbe6b )
emSign Root CA - C1 (https://crt.sh/?sha256=125609aa301da0a249b97a8239cb6a34216f44dcac9f3954b14292f2e8c8608f )
emSign Root CA - G1 (https://crt.sh/?sha256=40f6af0346a99aa1cd1d555a4e9cce62c7f9634603ee406615833dc8c8d00367 )
Entrust Root Certification Authority - G4 (https://crt.sh/?sha256=db3517d1f6732a2d5ab97c533ec70779ee3270a62fb4ac4238372460e6f01e88 )
Fina Root CA (https://crt.sh/?sha256=5ab4fcdb180b5b6af0d262a2375a2c77d25602015d96648756611e2e78c53ad3 )
GLOBALTRUST 2015 (https://crt.sh/?sha256=416b1f9e84e74c1d19b23d8d7191c6ad81246e641601f599132729f507beb3cc )
Hongkong Post Root CA 2 (https://crt.sh/?sha256=3945e08a8d4a0554b7605a7b355b10188e3ef842c76a805c54e3657c4d041aaa )
Hongkong Post Root CA 3 (https://crt.sh/?sha256=5a2fc03f0c83b090bbfa40604b0988446c7636183df9846e17101a447fb8efd6 )
Microsoft ECC Product Root Certificate Authority 2018 (https://crt.sh/?sha256=caca93b9d23d2b6fa76e8b8471931e0df3ec6f63af3cdbb936c41954a1872326 )
Microsoft ECC Root Certificate Authority 2017 (https://crt.sh/?sha256=fea1884ab3aea6d0dbedbe4b9cd9fec8655116300a86a856488fc488bb4b44d2 )
Microsoft ECC TS Root Certificate Authority 2018 (https://crt.sh/?sha256=3fd4be8baad2f26e1bde06c7584bb720dd1a972d111f5a4999bc44b08fb4960d )
Microsoft EV ECC Root Certificate Authority 2017 (https://crt.sh/?sha256=6aea30bc02ca85afcfec2f65f60881893c926925fd0704bd8ada3f0f6eddb699 )
Microsoft EV RSA Root Certificate Authority 2017 (https://crt.sh/?sha256=dfb3c314740596ad5fb97960ef62ad7c1fcceead16e74054652d1032e6f140ef )
Microsoft RSA Root Certificate Authority 2017 (https://crt.sh/?sha256=ecdd47b5acbfa328211e1bff54adeac95e6991e3c1d50e27b527e903208040a1 )
PostSignum Root QCA 4 (https://crt.sh/?sha256=ac7f7862e685c7a7d9826a58ea32d183d4893fcc8f8fd6d900c9769a987e77f0 )
ZETES TSP ROOT CA 001 (https://crt.sh/?sha256=016e1dcd5f78841bbebbae9ddea08c8d7ec54e698e95bb778ecdd1e10d8bf4f9 )
emSign ECC Root CA - C3 (
emSign ECC Root CA - G3 (
emSign Root CA - C1 (
emSign Root CA - G1 (
Entrust Root Certification Authority - G4 (
Fina Root CA (
GLOBALTRUST 2015 (
Hongkong Post Root CA 2 (
Hongkong Post Root CA 3 (
Microsoft ECC Product Root Certificate Authority 2018 (
Microsoft ECC Root Certificate Authority 2017 (
Microsoft ECC TS Root Certificate Authority 2018 (
Microsoft EV ECC Root Certificate Authority 2017 (
Microsoft EV RSA Root Certificate Authority 2017 (
Microsoft RSA Root Certificate Authority 2017 (
PostSignum Root QCA 4 (
ZETES TSP ROOT CA 001 (
as...@chromium.org
Xenon CT Logs will be added to the list of Qualified CT Logs in Chrome 73.
bu...@chops-service-accounts.iam.gserviceaccount.com
The following revision refers to this bug:
https://chromium.googlesource.com/chromium/src.git/+/6dbb4b3e420a7225226bc290d712f99e32ab09fd
commit 6dbb4b3e420a7225226bc290d712f99e32ab09fd
Author: Devon O'Brien <asymmetric@chromium.org>
Date: Sat Feb 23 04:09:01 2019
Add Google Xenon CT Logs
Google Xenon2019, 2020, 2021, 2022 CT Logs have all passed their
monitoring period and are being added to the list of Qualified Logs in
Chrome.
Bug: 833350
Change-Id: I1215184564eb08a573f7091d26b7f532d93ddba5
Reviewed-on:https://chromium-review.googlesource.com/c/1485017
Commit-Queue: Devon O'Brien <asymmetric@chromium.org>
Commit-Queue: Nick Harper <nharper@chromium.org>
Reviewed-by: Nick Harper <nharper@chromium.org>
Cr-Commit-Position: refs/heads/master@{#634940}
[modify]https://crrev.com/6dbb4b3e420a7225226bc290d712f99e32ab09fd/components/certificate_transparency/data/log_list.json
commit 6dbb4b3e420a7225226bc290d712f99e32ab09fd
Author: Devon O'Brien <asymmetric@chromium.org>
Date: Sat Feb 23 04:09:01 2019
Add Google Xenon CT Logs
Google Xenon2019, 2020, 2021, 2022 CT Logs have all passed their
monitoring period and are being added to the list of Qualified Logs in
Chrome.
Bug: 833350
Change-Id: I1215184564eb08a573f7091d26b7f532d93ddba5
Reviewed-on:
Commit-Queue: Devon O'Brien <asymmetric@chromium.org>
Commit-Queue: Nick Harper <nharper@chromium.org>
Reviewed-by: Nick Harper <nharper@chromium.org>
Cr-Commit-Position: refs/heads/master@{#634940}
[modify]
as...@chromium.org
[Empty comment from Monorail migration]
sh...@chromium.org
The bug is marked as P3 or Feature. It should not be merged as M73 is in beta.
Please contact the approriate milestone owner if you have questions.
Owners: benmason@(Android), kariahda@(iOS), cindyb@(ChromeOS), abdulsyed@(Desktop)
For more details visithttps://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Please contact the approriate milestone owner if you have questions.
Owners: benmason@(Android), kariahda@(iOS), cindyb@(ChromeOS), abdulsyed@(Desktop)
For more details visit
aw...@google.com
Low risk data change. Good for 73.
aw...@google.com
Setting priority to placate the robots, and re-requesting merge
sh...@chromium.org
This bug requires manual review: M73 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: benmason@(Android), kariahda@(iOS), cindyb@(ChromeOS), abdulsyed@(Desktop)
For more details visithttps://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Please contact the milestone owner if you have questions.
Owners: benmason@(Android), kariahda@(iOS), cindyb@(ChromeOS), abdulsyed@(Desktop)
For more details visit
ab...@google.com
approved: branch 3683
cr...@appspot.gserviceaccount.com
The following revision refers to this bug:
https://chromium.googlesource.com/chromium/src.git/+/b0209f9df8f14f770380c4c923ffd39d7bef9f6a
Commit: b0209f9df8f14f770380c4c923ffd39d7bef9f6a
Author: asymmetric@chromium.org
Commiter: awhalley@chromium.org
Date: 2019-02-25 23:53:58 +0000 UTC
Add Google Xenon CT Logs
[M73] Google Xenon2019, 2020, 2021, 2022 CT Logs have all passed their
monitoring period and are being added to the list of Qualified Logs in
Chrome.
Bug: 833350
Change-Id: I1215184564eb08a573f7091d26b7f532d93ddba5
Reviewed-on:https://chromium-review.googlesource.com/c/1485017
Commit-Queue: Devon O'Brien <asymmetric@chromium.org>
Commit-Queue: Nick Harper <nharper@chromium.org>
Reviewed-by: Nick Harper <nharper@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#634940}(cherry picked from commit 6dbb4b3e420a7225226bc290d712f99e32ab09fd)
Reviewed-on:https://chromium-review.googlesource.com/c/1487959
Reviewed-by: Andrew Whalley <awhalley@chromium.org>
Cr-Commit-Position: refs/branch-heads/3683@{#632}
Cr-Branched-From: e51029943e0a38dd794b73caaf6373d5496ae783-refs/heads/master@{#625896}
Commit: b0209f9df8f14f770380c4c923ffd39d7bef9f6a
Author: asymmetric@chromium.org
Commiter: awhalley@chromium.org
Date: 2019-02-25 23:53:58 +0000 UTC
Add Google Xenon CT Logs
[M73] Google Xenon2019, 2020, 2021, 2022 CT Logs have all passed their
monitoring period and are being added to the list of Qualified Logs in
Chrome.
Bug: 833350
Change-Id: I1215184564eb08a573f7091d26b7f532d93ddba5
Reviewed-on:
Commit-Queue: Devon O'Brien <asymmetric@chromium.org>
Commit-Queue: Nick Harper <nharper@chromium.org>
Reviewed-by: Nick Harper <nharper@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#634940}(cherry picked from commit 6dbb4b3e420a7225226bc290d712f99e32ab09fd)
Reviewed-on:
Reviewed-by: Andrew Whalley <awhalley@chromium.org>
Cr-Commit-Position: refs/branch-heads/3683@{#632}
Cr-Branched-From: e51029943e0a38dd794b73caaf6373d5496ae783-refs/heads/master@{#625896}
bu...@chops-service-accounts.iam.gserviceaccount.com
The following revision refers to this bug:
https://chromium.googlesource.com/chromium/src.git/+/b0209f9df8f14f770380c4c923ffd39d7bef9f6a
commit b0209f9df8f14f770380c4c923ffd39d7bef9f6a
Author: Devon O'Brien <asymmetric@chromium.org>
Date: Mon Feb 25 23:53:58 2019
Add Google Xenon CT Logs
[M73] Google Xenon2019, 2020, 2021, 2022 CT Logs have all passed their
monitoring period and are being added to the list of Qualified Logs in
Chrome.
Bug: 833350
Change-Id: I1215184564eb08a573f7091d26b7f532d93ddba5
Reviewed-on:https://chromium-review.googlesource.com/c/1485017
Commit-Queue: Devon O'Brien <asymmetric@chromium.org>
Commit-Queue: Nick Harper <nharper@chromium.org>
Reviewed-by: Nick Harper <nharper@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#634940}(cherry picked from commit 6dbb4b3e420a7225226bc290d712f99e32ab09fd)
Reviewed-on:https://chromium-review.googlesource.com/c/1487959
Reviewed-by: Andrew Whalley <awhalley@chromium.org>
Cr-Commit-Position: refs/branch-heads/3683@{#632}
Cr-Branched-From: e51029943e0a38dd794b73caaf6373d5496ae783-refs/heads/master@{#625896}
[modify]https://crrev.com/b0209f9df8f14f770380c4c923ffd39d7bef9f6a/components/certificate_transparency/data/log_list.json
commit b0209f9df8f14f770380c4c923ffd39d7bef9f6a
Author: Devon O'Brien <asymmetric@chromium.org>
Date: Mon Feb 25 23:53:58 2019
Add Google Xenon CT Logs
[M73] Google Xenon2019, 2020, 2021, 2022 CT Logs have all passed their
monitoring period and are being added to the list of Qualified Logs in
Chrome.
Bug: 833350
Change-Id: I1215184564eb08a573f7091d26b7f532d93ddba5
Reviewed-on:
Commit-Queue: Devon O'Brien <asymmetric@chromium.org>
Commit-Queue: Nick Harper <nharper@chromium.org>
Reviewed-by: Nick Harper <nharper@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#634940}(cherry picked from commit 6dbb4b3e420a7225226bc290d712f99e32ab09fd)
Reviewed-on:
Reviewed-by: Andrew Whalley <awhalley@chromium.org>
Cr-Commit-Position: refs/branch-heads/3683@{#632}
Cr-Branched-From: e51029943e0a38dd794b73caaf6373d5496ae783-refs/heads/master@{#625896}
[modify]
ro...@google.com
Xenon2023 inclusion request:
This Log is public and provides open access. There are no fees for submitting certificates or any other usage, including queries and mirroring. No prior contracts or agreements are required before the Log may be used.
Details:
Log ID: rfe++nz/EMiLnT2cHj4YarRnKV3PsQwkyoWGNOvcgoo=
Log URL:https://ct.googleapis.com/logs/xenon2023
Certificate Expiry Range: Jan 01 2023 00:00:00Z inclusive to Jan 01 2024 00:00:00Z exclusive
MMD: 24 hours
Server public key: file attached (xenon2023.der)
Accepted roots: The same roots as for existing Xenon Logs.
Additional Notes:
We will freeze the Log once its inclusion expiry window has passed and close it for new submissions as of Jan 01 2024 00:00:00Z. We will then request that trust be withdrawn from this Log by Chromium as all the certificates it contains will have expired and will therefore be no longer valid.
Submissions and queries are rate limited to protect our infrastructure. Rate limited requests will be denied with an HTTP error status code. We intend to provide serving capacity to support any reasonable usage level but additional automatic mechanisms exist that will operate to protect our infrastructure in emergency situations.
Implementation:
This Log is based on our Golang implementation of Certificate Transparency. The open source version of this code can be found at:https://github.com/google/trillian and https://github.com/google/certificate-transparency-go and it is made available under an Apache 2.0 license.
This Log is public and provides open access. There are no fees for submitting certificates or any other usage, including queries and mirroring. No prior contracts or agreements are required before the Log may be used.
Details:
Log ID: rfe++nz/EMiLnT2cHj4YarRnKV3PsQwkyoWGNOvcgoo=
Log URL:
Certificate Expiry Range: Jan 01 2023 00:00:00Z inclusive to Jan 01 2024 00:00:00Z exclusive
MMD: 24 hours
Server public key: file attached (xenon2023.der)
Accepted roots: The same roots as for existing Xenon Logs.
Additional Notes:
We will freeze the Log once its inclusion expiry window has passed and close it for new submissions as of Jan 01 2024 00:00:00Z. We will then request that trust be withdrawn from this Log by Chromium as all the certificates it contains will have expired and will therefore be no longer valid.
Submissions and queries are rate limited to protect our infrastructure. Rate limited requests will be denied with an HTTP error status code. We intend to provide serving capacity to support any reasonable usage level but additional automatic mechanisms exist that will operate to protect our infrastructure in emergency situations.
Implementation:
This Log is based on our Golang implementation of Certificate Transparency. The open source version of this code can be found at:
ka...@google.com
Thank you for your request, we have started monitoring your Log server.
Should no issues be detected, the initial compliance monitoring phase
will be complete on Mon July 29th 2019 and we will update this bug
shortly after that date to confirm.
Should no issues be detected, the initial compliance monitoring phase
will be complete on Mon July 29th 2019 and we will update this bug
shortly after that date to confirm.
mh...@google.com
This is advance notice that the xenon logs will begin accepting the attached roots in the next few days. This is to align with updates from the Mozila, Apple and Microsoft root programs.
ka...@google.com
This is advance notice that the Xenon logs will begin accepting the attached roots in the next few days. This brings us up-to-date with the latest roots trusted by Apple, Microsoft and Mozilla.
ka...@google.com
Xenon2023 has passed the initial 90 day compliance period.
as...@chromium.org
Now that Xenon2023 has passed its monitoring period, it will be included in an upcoming release of Chrome.
bu...@chops-service-accounts.iam.gserviceaccount.com
The following revision refers to this bug:
https://chromium.googlesource.com/chromium/src.git/+/cc8123ff22a6e7c62a760a5912ea91a55b03a330
commit cc8123ff22a6e7c62a760a5912ea91a55b03a330
Author: Devon O'Brien <asymmetric@chromium.org>
Date: Thu Aug 22 19:54:42 2019
Add Argon, Xenon CT Shards and update Usable Logs
Adding Google Argon2022, Argon 2023, Xenon 2023 CT Logs to list of
Qualified CT Logs in Chrome. Additionally, incorporate recent Qualified
--> Usable Log states.
Bug: 889033, 833350
Change-Id: Iaca8867da9de61cb5a03e6323e14e8b9df0b5c2f
Reviewed-on:https://chromium-review.googlesource.com/c/chromium/src/+/1764834
Commit-Queue: Ryan Sleevi <rsleevi@chromium.org>
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#689620}
[modify]https://crrev.com/cc8123ff22a6e7c62a760a5912ea91a55b03a330/components/certificate_transparency/data/log_list.json
commit cc8123ff22a6e7c62a760a5912ea91a55b03a330
Author: Devon O'Brien <asymmetric@chromium.org>
Date: Thu Aug 22 19:54:42 2019
Add Argon, Xenon CT Shards and update Usable Logs
Adding Google Argon2022, Argon 2023, Xenon 2023 CT Logs to list of
Qualified CT Logs in Chrome. Additionally, incorporate recent Qualified
--> Usable Log states.
Bug: 889033, 833350
Change-Id: Iaca8867da9de61cb5a03e6323e14e8b9df0b5c2f
Reviewed-on:
Commit-Queue: Ryan Sleevi <rsleevi@chromium.org>
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#689620}
[modify]
ab...@google.com
[Empty comment from Monorail migration]
ro...@google.com
The following root certificates should be accepted in the next few days. This brings us up-to-date with the latest roots trusted by Apple, Microsoft and Mozilla.
A-Trust-Root-07 (https://crt.sh/?sha256=8AC552AD577E37AD2C6808D72AA331D6A96B4B3FEBFF34CE9BC0578E08055EC3 )
AC RAIZ FNMT-RCM SERVIDORES SEGUROS (https://crt.sh/?sha256=554153B13D2CF9DDB753BFBE1A4E0AE08D0AA4187058FE60A2B862B2E4B87BCB )
Digidentity Services Root CA (https://crt.sh/?sha256=E28097721A8CAB8880AF80FDEF8902B1F15BC7473AD68EC22991257A910D9EA2 )
HiPKI Root CA - G1 (https://crt.sh/?sha256=F015CE3CC239BFEF064BE9F1D2C417E1A0264A0A94BE1F0C8D121864EB6949CC )
TrustFactory Client Root Certificate Authority (https://crt.sh/?sha256=92C4DB06C42A130D663574D7741B7F93C806FD6714DCE890E84B568FAE86E64C )
TrustFactory SSL Root Certificate Authority (https://crt.sh/?sha256=608142DA5C675DD47C1AA3A26EE329E24E81D5FF3B94017BC1C1A0C37DB4C1A0 )
A-Trust-Root-07 (
AC RAIZ FNMT-RCM SERVIDORES SEGUROS (
Digidentity Services Root CA (
HiPKI Root CA - G1 (
TrustFactory Client Root Certificate Authority (
TrustFactory SSL Root Certificate Authority (
bu...@chops-service-accounts.iam.gserviceaccount.com
The following revision refers to this bug:
https://chromium.googlesource.com/chromium/src.git/+/e033907514a7f5b622facbb133d2a3a801a99b46
commit e033907514a7f5b622facbb133d2a3a801a99b46
Author: Devon O'Brien <asymmetric@chromium.org>
Date: Mon Feb 10 17:37:04 2020
February 2020 CT Log List Changes
The following CT Logs have transitioned from Qualified to
Usable:
Let's Encrypt Oak: 2020, 2021, 2022
Google Argon: 2022, 2023
Google Xenon: 2023
Cloudflare Nimbus: 2023
DigiCert Yeti: 2023
DigiCert Nessie: 2023
Additionally, the following 2019 Logs have been removed:
Cloudflare Nimbus: 2019
DigiCert Yeti: 2019
DigiCert Nessie: 2019
Google Argon: 2019
Google Xenon: 2019
Let's Encrypt: 2019
Bug: 963693, 833350, 889033, 796333, 801624, 780655, 888130
Change-Id: I6800ad3a8443c2a65a4a3e7d9741cb8c65bc92dc
Reviewed-on:https://chromium-review.googlesource.com/c/chromium/src/+/2040111
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Commit-Queue: Devon O'Brien <asymmetric@chromium.org>
Cr-Commit-Position: refs/heads/master@{#739918}
[modify]https://crrev.com/e033907514a7f5b622facbb133d2a3a801a99b46/components/certificate_transparency/data/log_list.json
commit e033907514a7f5b622facbb133d2a3a801a99b46
Author: Devon O'Brien <asymmetric@chromium.org>
Date: Mon Feb 10 17:37:04 2020
February 2020 CT Log List Changes
The following CT Logs have transitioned from Qualified to
Usable:
Let's Encrypt Oak: 2020, 2021, 2022
Google Argon: 2022, 2023
Google Xenon: 2023
Cloudflare Nimbus: 2023
DigiCert Yeti: 2023
DigiCert Nessie: 2023
Additionally, the following 2019 Logs have been removed:
Cloudflare Nimbus: 2019
DigiCert Yeti: 2019
DigiCert Nessie: 2019
Google Argon: 2019
Google Xenon: 2019
Let's Encrypt: 2019
Bug: 963693, 833350, 889033, 796333, 801624, 780655, 888130
Change-Id: I6800ad3a8443c2a65a4a3e7d9741cb8c65bc92dc
Reviewed-on:
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Commit-Queue: Devon O'Brien <asymmetric@chromium.org>
Cr-Commit-Position: refs/heads/master@{#739918}
[modify]
me...@google.com
The following root certificates should be accepted some time next week. This brings us up-to-date with the latest roots trusted by Apple, Microsoft and Mozilla.
Microsoft ECC Root Certificate Authority 2017 (https://crt.sh/?q=358DF39D764AF9E1B766E9C972DF352EE15CFAC227AF6AD1D70E8E4A6EDCBA02 )
Microsoft RSA Root Certificate Authority 2017 (https://crt.sh/?q=C741F70F4B2A8D88BF2E71C14122EF53EF10EBA0CFA5E64CFA20F418853073E0 )
Microsoft ECC Root Certificate Authority 2017 (
Microsoft RSA Root Certificate Authority 2017 (
pk...@google.com
The following root certificates should be accepted in the next few days. This brings us up-to-date with the latest roots trusted by Mozilla.
GlobalSign Client Authentication Root E45 (https://crt.sh/?sha256=8b0f0faa2c00fe0532a8a54e7bc5fd139c1922c4f10f0b16e10fb8be1a634964 )
GlobalSign Client Authentication Root R45 (https://crt.sh/?sha256=165c7e810bd37c1d57ce9849accd500e5cb01eea37dc550db07e598aad2474a8 )
e-Szigno Root CA 2017 (https://crt.sh/?sha256=beb00b30839b9bc32c32e4447905950641f26421b15ed089198b518ae2ea1b99 )
TunTrust Root CA (https://crt.sh/?sha256=2e44102ab58cb85419451c8e19d9acf3662cafbc614b6a53960a30f7d0e2eb41 )
Microsoft EV ECC Root Certificate Authority 2017 (https://crt.sh/?sha256=de1af143ffa160cf5fa86abfe577291633dc264da12c863c5738bea4afbb2cdb )
Microsoft EV RSA Root Certificate Authority 2017 (https://crt.sh/?sha256=66960242db2ed5906e113295f2454f33d6fb418c4c65e8166d43be64d19ba4fa )
GlobalSign Client Authentication Root E45 (
GlobalSign Client Authentication Root R45 (
e-Szigno Root CA 2017 (
TunTrust Root CA (
Microsoft EV ECC Root Certificate Authority 2017 (
Microsoft EV RSA Root Certificate Authority 2017 (
pk...@google.com
The following root certificates should be accepted in the next few days. This brings us up-to-date with the latest roots trusted by Apple and Microsoft.
OISTE WISeKey Global Root GC CA (https://crt.sh/?sha256=8560f91c3624daba9570b5fea0dbe36ff11a8323be9486854fb3f34a5571198d )
Certum EC-384 CA (https://crt.sh/?sha256=6b328085625318aa50d173c98d8bda09d57e27413d114cf787a0f5d06c030cf6 )
Certum Trusted Root CA (https://crt.sh/?sha256=fe7696573855773e37a95e7ad4d9cc96c30157c15d31765ba9b15704e1ae78fd )
OISTE WISeKey Global Root GC CA (
Certum EC-384 CA (
Certum Trusted Root CA (
pk...@google.com
Update: Only "Certum" certificates from the previous comment will be added.
al...@google.com
The following root certs will be accepted in the next few days. This brings us up-to-date with the latest roots trusted by Apple and Mozilla.
GLOBALTRUST 2020 (https://crt.sh/?sha256=9a296a5182d1d451a2e37f439b74daafa267523329f90f9a0d2007c334e23c9a )
GlobalSign Root E46 (https://crt.sh/?sha256=cbb9c44d84b8043e1050ea31a69f514955d7bfd2e2c6b49301019ad61d9f5058 )
GlobalSign Root R46 (https://crt.sh/?sha256=4fa3126d8d3a11d1c4855a4f807cbad6cf919d3a5a88b03bea2c6372d93c40c9 )
Autoridade Certificadora Raiz Brasileira v10 (https://crt.sh/?sha256=6e0bff069a26994c15de2c4888cc54af84882e5495b7fbf66be9ccffec7489f6 )
I.CA Root CA/ECC 12/2016 (https://crt.sh/?sha256=b8692148ff49c3799fa2347ae28bcc5289623512b67dc19170452ade24ba51d5 )
GLOBALTRUST 2020 (
GlobalSign Root E46 (
GlobalSign Root R46 (
Autoridade Certificadora Raiz Brasileira v10 (
as...@chromium.org
As announced on ct-policy@ [1], the now-expired Google 'Xenon2020' CT Log will be removed in an upcoming release of Chrome. Please refer to the linked announcement for more information on how this impacts CAs, log operators, and site operators.
[1]https://groups.google.com/a/chromium.org/g/ct-policy/c/B56I4nSiBHM/m/IMy-fyN1BgAJ
[1]
gi...@appspot.gserviceaccount.com
The following revision refers to this bug:
https://chromium.googlesource.com/chromium/src/+/a86bd361fac7e957438646391faf8c88b1993042
commit a86bd361fac7e957438646391faf8c88b1993042
Author: Devon O'Brien <asymmetric@chromium.org>
Date: Thu Apr 22 16:42:08 2021
Remove expired 2020 CT Logs from Chromium
Now that they have expired, the following CT Logs are being removed:
Google Argon2020 log
Google Xenon2020 log
Cloudflare Nimbus2020 Log
DigiCert Yeti2020 Log
DigiCert Nessie2020 Log
Let's Encrypt Oak2020 log
Trust Asia Log2020
Bug: 889033, 833350, 780656, 796333, 801624, 963693, 1073395
Change-Id: Id2a7d88e231f2a20a03fe2e93e2ec7a3a0eb4828
Reviewed-on:https://chromium-review.googlesource.com/c/chromium/src/+/2845509
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Commit-Queue: Devon O'Brien <asymmetric@chromium.org>
Cr-Commit-Position: refs/heads/master@{#875205}
[modify]https://crrev.com/a86bd361fac7e957438646391faf8c88b1993042/components/certificate_transparency/data/log_list.json
commit a86bd361fac7e957438646391faf8c88b1993042
Author: Devon O'Brien <asymmetric@chromium.org>
Date: Thu Apr 22 16:42:08 2021
Remove expired 2020 CT Logs from Chromium
Now that they have expired, the following CT Logs are being removed:
Google Argon2020 log
Google Xenon2020 log
Cloudflare Nimbus2020 Log
DigiCert Yeti2020 Log
DigiCert Nessie2020 Log
Let's Encrypt Oak2020 log
Trust Asia Log2020
Bug: 889033, 833350, 780656, 796333, 801624, 963693, 1073395
Change-Id: Id2a7d88e231f2a20a03fe2e93e2ec7a3a0eb4828
Reviewed-on:
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Commit-Queue: Devon O'Brien <asymmetric@chromium.org>
Cr-Commit-Position: refs/heads/master@{#875205}
[modify]
ge...@google.com
The following roots will be accepting in the next few days:
ANF Secure Server Root CA (https://crt.sh/?sha256=fb8fec759169b9106b1e511644c618c51304373f6c0643088d8beffd1b997599 )
DigiCert ECC P384 Root G5 (https://crt.sh/?sha256=c1468cf2254e6004b24696aba209d1a30ba6e2dff68a9a4e32c6ab414f90c8d9 )
DigiCert RSA4096 Root G5 (https://crt.sh/?sha256=e46a392204a8dca342a71c1ca9a60c9185b9a930370120c3b9c7e3856f0d8f3b )
DigiCert TLS ECC P384 Root G5 (https://crt.sh/?sha256=018e13f0772532cf809bd1b17281867283fc48c6e13be9c69812854a490c1b05 )
DigiCert TLS RSA4096 Root G5 (https://crt.sh/?sha256=371a00dc0533b3721a7eeb40e8419e70799d2b0a0f2c1d80693165f7cec4ad75 )
HARICA TLS ECC Root CA 2021 (https://crt.sh/?sha256=3f99cc474acfce4dfed58794665e478d1547739f2e780f1bb4ca9b133097d401 )
HARICA TLS RSA Root CA 2021 (https://crt.sh/?sha256=d95d0e8eda79525bf9beb11b14d2100d3294985f0c62d9fabd9cd999eccb7b1d )
ISRG Root X2 (https://crt.sh/?sha256=69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470 )
ANF Secure Server Root CA (
DigiCert ECC P384 Root G5 (
DigiCert RSA4096 Root G5 (
DigiCert TLS ECC P384 Root G5 (
DigiCert TLS RSA4096 Root G5 (
HARICA TLS ECC Root CA 2021 (
HARICA TLS RSA Root CA 2021 (
ISRG Root X2 (
al...@google.com
al...@google.com
The following roots will be accepted in the next few days:
Autoridad de Certificacion Firmaprofesional CIF A62634068 (https://crt.sh/?sha256=57de0583efd2b26e0361da99da9df4648def7ee8441c3b728afa9bcde0f9b26a )
GTS Root R1 (https://crt.sh/?sha256=d947432abde7b7fa90fc2e6b59101b1280e0e1c7e4e40fa3c6887fff57a7f4cf )
GTS Root R2 (https://crt.sh/?sha256=8d25cd97229dbf70356bda4eb3cc734031e24cf00fafcfd32dc76eb5841c7ea8 )
GTS Root R3 (https://crt.sh/?sha256=34d8a73ee208d9bcdb0d956520934b4e40e69482596e8b6f73c8426b010a6f48 )
GTS Root R4 (https://crt.sh/?sha256=349dfa4058c5e263123b398ae795573c4e1313c83fe68f93556cd5e8031b3c7d )
GlobalSign (https://crt.sh/?sha256=b085d70b964f191a73e4af0d54ae7a0e07aafdaf9b71dd0862138ab7325a24a2 )
vTrus ECC Root CA (https://crt.sh/?sha256=30fbba2c32238e2a98547af97931e550428b9b3f1c8eeb6633dcfa86c5b27dd3 )
vTrus Root CA (https://crt.sh/?sha256=8a71de6559336f426c26e53880d00d88a18da4c6a91f0dcb6194e206c5c96387 )
Autoridad de Certificacion Firmaprofesional CIF A62634068 (
GTS Root R1 (
GTS Root R2 (
GTS Root R3 (
GTS Root R4 (
GlobalSign (
vTrus ECC Root CA (
vTrus Root CA (
as...@chromium.org
As announced on ct-policy@ [1], the now-expired Google 'Xenon2021' CT Log will be removed in an upcoming release of Chrome. Please refer to the linked announcement for more information on how this impacts CAs, log operators, and site operators.
[1]https://groups.google.com/a/chromium.org/g/ct-policy/c/NMI1Ahtdyi0/m/yOOaBRJcCAAJ
[1]
ph...@google.com
Xenon2024 inclusion request:
This Log is public and provides open access. There are no fees for submitting certificates or any other usage, including queries and mirroring. No prior contracts or agreements are required before the Log may be used.
Details:
Log ID: dv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/mZ0xaOnQ=
Log URL:https://ct.googleapis.com/logs/xenon2024
Certificate Expiry Range: Jan 01 2024 00:00:00Z inclusive to Jan 01 2025 00:00:00Z exclusive
MMD: 24 hours
Server public key: file attached (xenon2024.der)
Accepted roots: The same roots as for existing Xenon Logs.
Additional Notes:
We will freeze the Log once its inclusion expiry window has passed and close it for new submissions as of Jan 01 2025 00:00:00Z. We will then request that trust be withdrawn from this Log by Chromium as all the certificates it contains will have expired and will therefore be no longer valid.
Submissions and queries are rate limited to protect our infrastructure. Rate limited requests will be denied with an HTTP error status code. We intend to provide serving capacity to support any reasonable usage level but additional automatic mechanisms exist that will operate to protect our infrastructure in emergency situations.
Implementation:
This Log is based on our Golang implementation of Certificate Transparency. The open source version of this code can be found at:https://github.com/google/trillian and https://github.com/google/certificate-transparency-go and it is made available under an Apache 2.0 license.
This Log is public and provides open access. There are no fees for submitting certificates or any other usage, including queries and mirroring. No prior contracts or agreements are required before the Log may be used.
Details:
Log ID: dv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/mZ0xaOnQ=
Log URL:
Certificate Expiry Range: Jan 01 2024 00:00:00Z inclusive to Jan 01 2025 00:00:00Z exclusive
MMD: 24 hours
Server public key: file attached (xenon2024.der)
Accepted roots: The same roots as for existing Xenon Logs.
Additional Notes:
We will freeze the Log once its inclusion expiry window has passed and close it for new submissions as of Jan 01 2025 00:00:00Z. We will then request that trust be withdrawn from this Log by Chromium as all the certificates it contains will have expired and will therefore be no longer valid.
Submissions and queries are rate limited to protect our infrastructure. Rate limited requests will be denied with an HTTP error status code. We intend to provide serving capacity to support any reasonable usage level but additional automatic mechanisms exist that will operate to protect our infrastructure in emergency situations.
Implementation:
This Log is based on our Golang implementation of Certificate Transparency. The open source version of this code can be found at:
mh...@google.com
The following roots will be accepted in the next few days:
Certainly Root E1 (https://crt.sh/?sha256=b4585f22e4ac756a4e8612a1361c5d9d031a93fd84febb778fa3068b0fc42dc2 )
Certainly Root R1 (https://crt.sh/?sha256=77b82cd8644c4305f7acc5cb156b45675004033d51c60c6202a8e0c33467d3a0 )
D-TRUST BR Root CA 1 2020 (https://crt.sh/?sha256=e59aaa816009c22bff5b25bad37df306f049797c1f81d85ab089e657bd8f0044 )
D-TRUST EV Root CA 1 2020 (https://crt.sh/?sha256=08170d1aa36453901a2f959245e347db0c8d37abaabc56b81aa100dc958970db )
E-Tugra Global Root CA ECC v3 (https://crt.sh/?sha256=873f4685fa7f563625252e6d36bcd7f16fc24951f264e47e1b954f4908cdca13 )
E-Tugra Global Root CA RSA v3 (https://crt.sh/?sha256=ef66b0b10a3cdb9f2e3648c76bd2af18ead2bfe6f117655e28c4060da1a3f4c2 )
SecureSign Root CA12 (https://crt.sh/?sha256=3f034bb5704d44b2d08545a02057de93ebf3905fce721acbc730c06ddaee904e )
SecureSign Root CA14 (https://crt.sh/?sha256=4b009c1034494f9ab56bba3ba1d62731fc4d20d8955adcec10a925607261e338 )
SecureSign Root CA15 (https://crt.sh/?sha256=e778f0f095fe843729cd1a0082179e5314a9c291442805e1fb1d8fb6b8886c3a )
Certainly Root E1 (
Certainly Root R1 (
D-TRUST BR Root CA 1 2020 (
D-TRUST EV Root CA 1 2020 (
E-Tugra Global Root CA ECC v3 (
E-Tugra Global Root CA RSA v3 (
SecureSign Root CA12 (
SecureSign Root CA14 (
SecureSign Root CA15 (
as...@chromium.org
Thank you for requesting monitoring for Google Xenon 2024. The application looks good and we will begin compliance monitoring shortly.
ge...@google.com
Thank you for your request, we started monitoring your Log server on June 28 2022.
Should no issues be detected, the initial compliance monitoring phase
will be complete on July 27 2022 and we will update this bug
shortly after that date to confirm.
Should no issues be detected, the initial compliance monitoring phase
will be complete on July 27 2022 and we will update this bug
shortly after that date to confirm.
ge...@google.com
FYI, due to internal infrastructure changes, we plan to publish the Xenon2024 log at the URL https://ct.googleapis.com/logs/eu1/xenon2024 rather than the URL we mentioned earlier. This log has not yet been published in the log lists, and has not yet been used, so we expect no impact from this.
ge...@google.com
This log has passed its 30-day compliance period.
as...@chromium.org
[Comment Deleted]
as...@chromium.org
After passing the initial compliance monitoring period, Xenon 2024 (https://ct.googleapis.com/logs/eu1/xenon2024 ) is being added to Chromium as Qualified.
ro...@google.com
hi...@google.com
The following roots will be accepted in the next few days:
I.CA TLS Root CA/RSA 05/2022 (https://crt.sh/?sha256=f9a17a00e5c294ba9614a715819af57f3fd48cc413453fbb8a5fc7e97964e2bc )
GlobalSign Secure Mail Root E45 (https://crt.sh/?sha256=5cbf6fb81fd417ea4128cd6f8172a3c9402094f74ab2ed3a06b4405d04f30b19 )
GlobalSign Secure Mail Root R45 (https://crt.sh/?sha256=319af0a7729e6f89269c131ea6a3a16fcd86389fdcab3c47a4a675c161a3f974 )
HARICA Client ECC Root CA 2021 (https://crt.sh/?sha256=8dd4b5373cb0de36769c12339280d82746b3aa6cd426e797a31babe4279cf00b )
HARICA Client RSA Root CA 2021 (https://crt.sh/?sha256=1be7abe30686b16348afd1c61b6866a0ea7f4821e67d5e8af93
GlobalSign Secure Mail Root E45 (
GlobalSign Secure Mail Root R45 (
HARICA Client ECC Root CA 2021 (
HARICA Client RSA Root CA 2021 (
jd...@chromium.org
As announced on ct-policy@ [1], effective 2023-02-01 the now-expired Xenon 2022 log will be removed from Chrome. Please refer to the linked announcement for more information on how this impacts CAs, log operators, and site operators.
[1]https://groups.google.com/a/chromium.org/g/ct-policy/c/b0ejAPkYGis
[1]
ro...@google.com
The following roots will be accepted in the next few days:
BJCA Global Root CA1 (https://crt.sh/?sha256=f3896f88fe7c0a882766a7fa6ad2749fb57a7f3e98fb769c1fa7b09c2c44d5ae )
BJCA Global Root CA2 (https://crt.sh/?sha256=574df6931e278039667b720afdc1600fc27eb66dd3092979fb73856487212882 )
Sectigo Public Server Authentication Root E46 (https://crt.sh/?sha256=c90f26f0fb1b4018b22227519b5ca2b53e2ca5b3be5cf18efe1bef47380c5383 )
Sectigo Public Server Authentication Root R46 (https://crt.sh/?sha256=7bb647a62aeeac88bf257aa522d01ffea395e0ab45c73f93f65654ec38f25a06 )
BJCA Global Root CA1 (
BJCA Global Root CA2 (
Sectigo Public Server Authentication Root E46 (
Sectigo Public Server Authentication Root R46 (
ja...@google.com
The following roots will be accepted in the next few days:
Atos TrustedRoot Root CA ECC TLS 2021 (https://crt.sh/?sha256=b2fae53e14ccd7ab9212064701ae279c1d8988facb775fa8a008914e663988a8 )
Atos TrustedRoot Root CA RSA TLS 2021 (https://crt.sh/?sha256=81a9088ea59fb364c548a6f85559099b6f0405efbf18e5324ec9f457ba00112f )
SSL.com TLS ECC Root CA 2022 (https://crt.sh/?sha256=c32ffd9f46f936d16c3673990959434b9ad60aafbb9e7cf33654f144cc1ba143 )
SSL.com TLS RSA Root CA 2022 (https://crt.sh/?sha256=8faf7d2e2cb4709bb8e0b33666bf75a5dd45b5de480f8ea8d4bfe6bebc17f2ed )
Atos TrustedRoot Root CA ECC TLS 2021 (
Atos TrustedRoot Root CA RSA TLS 2021 (
SSL.com TLS ECC Root CA 2022 (
SSL.com TLS RSA Root CA 2022 (
ph...@google.com
For 2025, we brought two logs up:
- xenon2025h1 ranging from 2025-01-01 to 2025-07-01
- xenon2025h2 ranging from 2025-07-01 to 2026-01-01
- xenon2025h1 ranging from 2025-01-01 to 2025-07-01
- xenon2025h2 ranging from 2025-07-01 to 2026-01-01
ph...@google.com
xenon2025h1 inclusion request:
This Log is public and provides open access. There are no fees for submitting certificates or any other usage, including queries and mirroring. No prior contracts or agreements are required before the Log may be used.
Details:
Log ID: zxFW7tUufK/zh1vZaS6b6RpxZ0qwF+ysAdJbd87MOwg=
Log URL:https://ct.googleapis.com/logs/eu1/xenon2025h1/
Certificate Expiry Range: Jan 01 2025 00:00:00Z inclusive to Jul 01 2025 00:00:00Z exclusive
MMD: 24 hours
Server public key: file attached (xenon2025h1.der)
Accepted roots: The same roots as for existing Xenon Logs.
Additional Notes:
We will freeze the Log once its inclusion expiry window has passed and close it for new submissions as of Jul 01 2025 00:00:00Z. We will then request that trust be withdrawn from this Log by Chromium as all the certificates it contains will have expired and will therefore be no longer valid.
Submissions and queries are rate limited to protect our infrastructure. Rate limited requests will be denied with an HTTP error status code. We intend to provide serving capacity to support any reasonable usage level but additional automatic mechanisms exist that will operate to protect our infrastructure in emergency situations.
Implementation:
This Log is based on our Golang implementation of Certificate Transparency. The open source version of this code can be found at:https://github.com/google/trillian and https://github.com/google/certificate-transparency-go and it is made available under an Apache 2.0 license.
This Log is public and provides open access. There are no fees for submitting certificates or any other usage, including queries and mirroring. No prior contracts or agreements are required before the Log may be used.
Details:
Log ID: zxFW7tUufK/zh1vZaS6b6RpxZ0qwF+ysAdJbd87MOwg=
Log URL:
Certificate Expiry Range: Jan 01 2025 00:00:00Z inclusive to Jul 01 2025 00:00:00Z exclusive
MMD: 24 hours
Server public key: file attached (xenon2025h1.der)
Accepted roots: The same roots as for existing Xenon Logs.
Additional Notes:
We will freeze the Log once its inclusion expiry window has passed and close it for new submissions as of Jul 01 2025 00:00:00Z. We will then request that trust be withdrawn from this Log by Chromium as all the certificates it contains will have expired and will therefore be no longer valid.
Submissions and queries are rate limited to protect our infrastructure. Rate limited requests will be denied with an HTTP error status code. We intend to provide serving capacity to support any reasonable usage level but additional automatic mechanisms exist that will operate to protect our infrastructure in emergency situations.
Implementation:
This Log is based on our Golang implementation of Certificate Transparency. The open source version of this code can be found at:
ph...@google.com
xenon2025h2 inclusion request:
This Log is public and provides open access. There are no fees for submitting certificates or any other usage, including queries and mirroring. No prior contracts or agreements are required before the Log may be used.
Details:
Log ID: 3dzKNJXX4RYF55Uy+sef+D0cUN/bADoUEnYKLKy7yCo=
Log URL:https://ct.googleapis.com/logs/eu1/xenon2025h2/
Certificate Expiry Range: Jul 01 2025 00:00:00Z inclusive to Jan 01 2026 00:00:00Z exclusive
MMD: 24 hours
Server public key: file attached (xenon2025h2.der)
Accepted roots: The same roots as for existing Xenon Logs.
Additional Notes:
We will freeze the Log once its inclusion expiry window has passed and close it for new submissions as of Jan 01 2026 00:00:00Z. We will then request that trust be withdrawn from this Log by Chromium as all the certificates it contains will have expired and will therefore be no longer valid.
Submissions and queries are rate limited to protect our infrastructure. Rate limited requests will be denied with an HTTP error status code. We intend to provide serving capacity to support any reasonable usage level but additional automatic mechanisms exist that will operate to protect our infrastructure in emergency situations.
Implementation:
This Log is based on our Golang implementation of Certificate Transparency. The open source version of this code can be found at:https://github.com/google/trillian and https://github.com/google/certificate-transparency-go and it is made available under an Apache 2.0 license.
This Log is public and provides open access. There are no fees for submitting certificates or any other usage, including queries and mirroring. No prior contracts or agreements are required before the Log may be used.
Details:
Log ID: 3dzKNJXX4RYF55Uy+sef+D0cUN/bADoUEnYKLKy7yCo=
Log URL:
Certificate Expiry Range: Jul 01 2025 00:00:00Z inclusive to Jan 01 2026 00:00:00Z exclusive
MMD: 24 hours
Server public key: file attached (xenon2025h2.der)
Accepted roots: The same roots as for existing Xenon Logs.
Additional Notes:
We will freeze the Log once its inclusion expiry window has passed and close it for new submissions as of Jan 01 2026 00:00:00Z. We will then request that trust be withdrawn from this Log by Chromium as all the certificates it contains will have expired and will therefore be no longer valid.
Submissions and queries are rate limited to protect our infrastructure. Rate limited requests will be denied with an HTTP error status code. We intend to provide serving capacity to support any reasonable usage level but additional automatic mechanisms exist that will operate to protect our infrastructure in emergency situations.
Implementation:
This Log is based on our Golang implementation of Certificate Transparency. The open source version of this code can be found at:
jd...@chromium.org
Thanks for your 2025 log shard submissions! These logs will transition to Pending and we'll begin compliance monitoring imminently. We'll follow up in about 30 days if everything's looking good to transition the logs to Qualified.
as...@chromium.org
The following logs requested for inclusion in https://crbug.com/chromium/833350#c58 and https://crbug.com/chromium/833350#c59 have passed their initial compliance monitoring and will be added to Chrome as Qualified:
xenon2025h1
xenon2025h2
xenon2025h1
xenon2025h2
ja...@google.com
The following roots will be accepted in the next few days:
A-Trust-Root-09 (https://crt.sh/?sha256=7a38f708a35a31e42e1cf3220f9a2d273e7666354618b2464657d43d8e77adc2 )
AffirmTrust 4K TLS Root CA - 2022 (https://crt.sh/?sha256=a7dedf5a842167dd12fdaa0f2080e73295b8b8bea71b2094ea0950945a482fc1 )
CommScope Public Trust ECC Root-01 (https://crt.sh/?sha256=11437cda7bb45e41365f45b39a38986b0de00def348e0c7bb0873633800bc38b )
CommScope Public Trust ECC Root-02 (https://crt.sh/?sha256=2ffb7f813bbbb3c89ab4e8162d0f16d71509a830cc9d73c262e5140875d1ad4a )
CommScope Public Trust RSA Root-01 (https://crt.sh/?sha256=02bdf96e2a45dd9bf18fc7e1dbdf21a0379ba3c9c2610344cfd8d606fec1ed81 )
CommScope Public Trust RSA Root-02 (https://crt.sh/?sha256=ffe943d793424b4f7c440c1c3d648d5363f34b82dc87aa7a9f118fc5dee101f1 )
Entrust 4K EV TLS Root CA - 2022 (https://crt.sh/?sha256=647987d98d52645da4d3de3b80771a0ce02b9b9285e6e86999882170744ec9aa )
Entrust 4K TLS Root CA - 2022 (https://crt.sh/?sha256=dd6c44b39401b053dbe61120748bbb0f6056007665c168e5c286750edc8df129 )
Entrust P384 EV TLS Root CA - 2022 (https://crt.sh/?sha256=937ef8f12276b3c7a3f58e345d09a6eff01f862f8d2794441cd84d511825fa0c )
Entrust P384 TLS Root CA - 2022 (https://crt.sh/?sha256=420332ef876ebe78f2af5d28aaacde24aad0c10f8ffaac469efd7bd941929568 )
MOIS SSL Root CA (https://crt.sh/?sha256=1cf341ae35341ac3ae1dc68d5b10dc0c9dc1307656f75fd92ca2c68489d52e9a )
SwissSign RSA TLS Root CA 2022 - 1 (https://crt.sh/?sha256=193144f431e0fddb740717d4de926a571133884b4360d30e272913cbe660ce41 )
TWCA CYBER Root CA (https://crt.sh/?sha256=3f63bb2814be174ec8b6439cf08d6d56f0b7c405883a5648a334424d6b3ec558 )
Telekom Security TLS ECC Root 2020 (https://crt.sh/?sha256=578af4ded0853f4e5998db4aeaf9cbea8d945f60b620a38d1a3c13b2bc7ba8e1 )
Telekom Security TLS RSA Root 2023 (https://crt.sh/?sha256=efc65cadbb59adb6efe84da22311b35624b71b3b1ea0da8b6655174ec8978646 )
TrustAsia Global Root CA G3 (https://crt.sh/?sha256=e0d3226aeb1163c2e48ff9be3b50b4c6431be7bb1eacc5c36b5d5ec509039a08 )
TrustAsia Global Root CA G4 (https://crt.sh/?sha256=be4b56cb5056c0136a526df444508daa36a0b54f42e4ac38f72af470e479654c )
A-Trust-Root-09 (
AffirmTrust 4K TLS Root CA - 2022 (
CommScope Public Trust ECC Root-01 (
CommScope Public Trust ECC Root-02 (
CommScope Public Trust RSA Root-01 (
CommScope Public Trust RSA Root-02 (
Entrust 4K EV TLS Root CA - 2022 (
Entrust 4K TLS Root CA - 2022 (
Entrust P384 EV TLS Root CA - 2022 (
Entrust P384 TLS Root CA - 2022 (
MOIS SSL Root CA (
SwissSign RSA TLS Root CA 2022 - 1 (
TWCA CYBER Root CA (
Telekom Security TLS ECC Root 2020 (
Telekom Security TLS RSA Root 2023 (
TrustAsia Global Root CA G3 (
TrustAsia Global Root CA G4 (
nh...@chromium.org
As announced on ct-policy@ [1], effective 2024-02-02 the now-expired Xenon 2023 log will be removed from Chrome. Please refer to the linked announcement for more information on how this impacts CAs, log operators, and site operators.
[1]https://groups.google.com/a/chromium.org/g/ct-policy/c/TXkxW3r3qkE
[1]
is...@google.com
This issue was migrated from crbug.com/chromium/833350?no_tracker_redirect=1
[Auto-CCs applied]
[Monorail components added to Component Tags custom field.]
[Auto-CCs applied]
[Monorail components added to Component Tags custom field.]
pa...@google.com
The following roots will be accepted in the next few days:
Atos TrustedRoot Root CA ECC G2 2020 (https://crt.sh/?sha256=e38655f4b0190c84d3b3893d840a687e190a256d98052f159e6d4a39f589a6eb )
Atos TrustedRoot Root CA RSA G2 2020 (https://crt.sh/?sha256=78833a783bb2986c254b9370d3c20e5eba8fa7840cbf63fe17297a0b0119685e )
SSL.com Client ECC Root CA 2022 (https://crt.sh/?sha256=ad7dd58d03aedb22a30b5084394920ce12230c2d8017ad9b81ab04079bdd026b )
SSL.com Client RSA Root CA 2022 (https://crt.sh/?sha256=1d4ca4a2ab21d0093659804fc0eb2175a617279b56a2475245c9517afeb59153 )
Sectigo Public Email Protection Root E46 (https://crt.sh/?sha256=22d9599234d60f1d4bc7c7e96f43fa555b07301fd475175089dafb8c25e477b3 )
Sectigo Public Email Protection Root R46 (https://crt.sh/?sha256=d5917a7791eb7cf20a2e57eb98284a67b28a57e89182da53d546678c9fde2b4f )
Sectigo Public Time Stamping Root E46 (https://crt.sh/?sha256=e44ddb7952261f15005cd60c1d0c38c18cbfd17c273a31f8ed4c8f53e2685f32 )
Sectigo Public Time Stamping Root R46 (https://crt.sh/?sha256=4941b001b8a97e961b7817c9d9e960ec4b056bfc915a8c1aabf6ef6b3ac046a5 )
Atos TrustedRoot Root CA ECC G2 2020 (
Atos TrustedRoot Root CA RSA G2 2020 (
SSL.com Client ECC Root CA 2022 (
SSL.com Client RSA Root CA 2022 (
Sectigo Public Email Protection Root E46 (
Sectigo Public Email Protection Root R46 (
Sectigo Public Time Stamping Root E46 (
Sectigo Public Time Stamping Root R46 (
ph...@google.com
The following roots will be accepted in the next few days:
- D-TRUST BR Root CA 2 2023 (
https://crt.sh/?sha256=0552e6f83fdf65e8fa9670e666df28a4e21340b510cbe52566f97c4fb94b2bd1 ) - D-TRUST EV Root CA 2 2023 (
https://crt.sh/?sha256=8e8221b2e7d4007836a1672f0dcc299c33bc07d316f132fa1a206d587150f1ce ) - FIRMAPROFESIONAL CA ROOT-A WEB (
https://crt.sh/?sha256=bef256daf26e9c69bdec1602359798f3caf71821a03e018257c53c65617f3d4a ) - NAVER Cloud Trust Services ECC Root G1 (
https://crt.sh/?sha256=a7c8681042f3675aa8505d3ba313d80f8ac3250fdf874ad29b834689c087fb11 ) - NAVER Cloud Trust Services RSA Root G1 (
https://crt.sh/?sha256=49a2762987788d4834b32305d767760f244d507742e8c2539fd4ca3ad52c16ee ) - QuoVadis TLS ECC P384 Root G4 (
https://crt.sh/?sha256=6e1fd3ae0d2d477c8f5ee5f335cc5b6356872654e5356a73d8c0a30a17c252a2 ) - QuoVadis TLS RSA 4096 Root G4 (
https://crt.sh/?sha256=c8a2d38a24f5ac302d8a08ebd38923d9a750b49220f092e82d1c53249e1533d0 ) - e-Szigno TLS Root CA 2023 (
https://crt.sh/?sha256=b49141502d00663d740f2e7ec340c52800962666121a36d09cf7dd2b90384fb4 )
pa...@google.com
xenon2026h1 inclusion request:
This Log is public and provides open access. There are no fees for submitting certificates or any other usage, including queries and mirroring. No prior contracts or agreements are required before the Log may be used.
Details:
Log ID: lpdkv1VYl633Q4doNwhCd+nwOtX2pPM2bkakPw/KqcY=
Log URL:https://ct.googleapis.com/logs/eu1/xenon2026h1/
Certificate Expiry Range: Jan 01 2026 00:00:00Z inclusive to Jul 01 2026 00:00:00Z exclusive
MMD: 24 hours
Server public key: file attached (xenon2026h1.der)
Accepted roots: The same roots as for existing xenon Logs.
Additional Notes:
We will freeze the Log once its inclusion expiry window has passed and close it for new submissions as of Jul 01 2026 00:00:00Z . We will then request that trust be withdrawn from this Log by Chromium as all the certificates it contains will have expired and will therefore be no longer valid.
Submissions and queries are rate limited to protect our infrastructure. Rate limited requests will be denied with an HTTP error status code. We intend to provide serving capacity to support any reasonable usage level but additional automatic mechanisms exist that will operate to protect our infrastructure in emergency situations.
Implementation:
This Log is based on our Golang implementation of Certificate Transparency. The open source version of this code can be found at:https://github.com/google/trillian and https://github.com/google/certificate-transparency-go and it is made available under an Apache 2.0 license.
This Log is public and provides open access. There are no fees for submitting certificates or any other usage, including queries and mirroring. No prior contracts or agreements are required before the Log may be used.
Details:
Log ID: lpdkv1VYl633Q4doNwhCd+nwOtX2pPM2bkakPw/KqcY=
Log URL:
Certificate Expiry Range: Jan 01 2026 00:00:00Z inclusive to Jul 01 2026 00:00:00Z exclusive
MMD: 24 hours
Server public key: file attached (xenon2026h1.der)
Accepted roots: The same roots as for existing xenon Logs.
Additional Notes:
We will freeze the Log once its inclusion expiry window has passed and close it for new submissions as of Jul 01 2026 00:00:00Z . We will then request that trust be withdrawn from this Log by Chromium as all the certificates it contains will have expired and will therefore be no longer valid.
Submissions and queries are rate limited to protect our infrastructure. Rate limited requests will be denied with an HTTP error status code. We intend to provide serving capacity to support any reasonable usage level but additional automatic mechanisms exist that will operate to protect our infrastructure in emergency situations.
Implementation:
This Log is based on our Golang implementation of Certificate Transparency. The open source version of this code can be found at:
pa...@google.com
xenon2026h2 inclusion request:
This Log is public and provides open access. There are no fees for submitting certificates or any other usage, including queries and mirroring. No prior contracts or agreements are required before the Log may be used.
Details:
Log ID: 2AlVO5RPev/IFhlvlE+Fq7D4/F6HVSYPFdEucrtFSxQ=
Log URL:https://ct.googleapis.com/logs/eu1/xenon2026h2/
Certificate Expiry Range: Jul 01 2025 00:00:00Z inclusive to Jan 01 2027 00:00:00Z exclusive
MMD: 24 hours
Server public key: file attached (xenon2026h2.der)
Accepted roots: The same roots as for existing xenon Logs.
Additional Notes:
We will freeze the Log once its inclusion expiry window has passed and close it for new submissions as of Jan 01 2027 00:00:00Z exclusive . We will then request that trust be withdrawn from this Log by Chromium as all the certificates it contains will have expired and will therefore be no longer valid.
Submissions and queries are rate limited to protect our infrastructure. Rate limited requests will be denied with an HTTP error status code. We intend to provide serving capacity to support any reasonable usage level but additional automatic mechanisms exist that will operate to protect our infrastructure in emergency situations.
Implementation:
This Log is based on our Golang implementation of Certificate Transparency. The open source version of this code can be found at:https://github.com/google/trillian and https://github.com/google/certificate-transparency-go and it is made available under an Apache 2.0 license.
This Log is public and provides open access. There are no fees for submitting certificates or any other usage, including queries and mirroring. No prior contracts or agreements are required before the Log may be used.
Details:
Log ID: 2AlVO5RPev/IFhlvlE+Fq7D4/F6HVSYPFdEucrtFSxQ=
Log URL:
Certificate Expiry Range: Jul 01 2025 00:00:00Z inclusive to Jan 01 2027 00:00:00Z exclusive
MMD: 24 hours
Server public key: file attached (xenon2026h2.der)
Accepted roots: The same roots as for existing xenon Logs.
Additional Notes:
We will freeze the Log once its inclusion expiry window has passed and close it for new submissions as of Jan 01 2027 00:00:00Z exclusive . We will then request that trust be withdrawn from this Log by Chromium as all the certificates it contains will have expired and will therefore be no longer valid.
Submissions and queries are rate limited to protect our infrastructure. Rate limited requests will be denied with an HTTP error status code. We intend to provide serving capacity to support any reasonable usage level but additional automatic mechanisms exist that will operate to protect our infrastructure in emergency situations.
Implementation:
This Log is based on our Golang implementation of Certificate Transparency. The open source version of this code can be found at:
pa...@google.com
FYI updated both xenon2026 inclusion requests to reflect base64 log IDs.
as...@chromium.org
Xenon 2026 log applications look good and we will begin compliance monitoring shortly.
Like with argon2026h2's application, xenon2026h2 is listed as having an expiry range start of Jul 1 2025, but for anyone following along, this is supposed to be Jul 1 2026, which will be reflected in the public-facing log list.
Like with argon2026h2's application, xenon2026h2 is listed as having an expiry range start of Jul 1 2025, but for anyone following along, this is supposed to be Jul 1 2026, which will be reflected in the public-facing log list.
jd...@chromium.org
Xenon 2026 shards have passed their initial compliance monitoring period. These logs will be marked as Usable 70 days from tomorrow.
ph...@google.com
The following roots will be accepted in the next few days:
ph...@google.com
A few days from now,
Description
Xenon20XX - Google's latest public CT Logs, operating since 2017-December-05.
These Logs are implemented and operated by Google.
These Logs accept all certificates that are anchored in a root trusted by one of the major browser vendors including Apple, Microsoft and Mozilla. These Logs accept certificates expiring within the date range as listed below.
These Logs are public and provide open access. There are no fees for submitting certificates or any other usage including queries and mirroring. No prior contracts or agreements are required before the Logs may be used.
Details:
Log IDs:
Xenon 2018: sQzVWabWeEaBH335pRUyc5rEjXA76gMj2l04dVvArU4=
Xenon 2019: CEEUmABxUywWGQRgvPxH/cJlOvopLHKzf/hjrinMyfA=
Xenon 2020: B7dcG+V9aP/xsMYdIxXHuuZXfFeUt2ruvGE6GmnTohw=
Xenon 2021: fT7y+I//iFVoJMLAyp5SiXkrxQ54CX8uapdomX4i8Nc=
Xenon 2022: RqVV63X6kSAwtaKJafTzfREsQXS+/Um4havy/HD+bUc=
Log URLs:
Certificate Expiry Ranges:
Xenon 2018: Jan 01 2018 00:00:00Z inclusive to Jan 01 2019 00:00:00Z exclusive
Xenon 2019: Jan 01 2019 00:00:00Z inclusive to Jan 01 2020 00:00:00Z exclusive
Xenon 2020: Jan 01 2020 00:00:00Z inclusive to Jan 01 2021 00:00:00Z exclusive
Xenon 2021: Jan 01 2021 00:00:00Z inclusive to Jan 01 2022 00:00:00Z exclusive
Xenon 2022: Jan 01 2022 00:00:00Z inclusive to Jan 01 2023 00:00:00Z exclusive
MMDs: 24 hours for all logs.
Server public keys: attached in PEM file google-xenon-public-keys.zip
Accepted roots for all logs: Attached file: xenon-roots-20181205.pem
Contact Information:
- email: google-ct-logs@googlegroups.com
- phone number: +442070313000 (Google UK)
- Authorized Persons: Al Cutter, Pierre Phaneuf, Paul Hadfield, Martin Smith, Rob Percival, Kat Joyce, David Drysdale
Additional Notes:
We will freeze the Logs once their inclusion expiry window has passed by closing it for new submissions. We will then request that trust be withdrawn from this log by Chromium as all the certificates it contains will have expired and will therefore be no longer valid.
The combination of the certificate expiry ranges of the new Google Xenon Logs will allow any certificate that chains to a trusted root and has a lifetime of 39 months or less to be logged to one of the new Xenon Logs, if it is issued within the next year. Further Xenon Logs will be turned up in the future in order to maintain the window for accepted certificates.
Submissions are subject to rate limits by IP address. Queries are rate limited by IP address. Rate limited requests will be denied with an HTTP error status code. We intend to provide serving capacity to support any reasonable usage level but additional automatic mechanisms exist that will operate to protect our infrastructure in emergency situations.
The purpose of our new Logs is an attempt to move towards a more managed and predictable lifecycle for CT Logs and thereby reduce operational overhead for both submitters and log operators. We have no current plan or schedule to discontinue serving these Logs, but may revisit this as operational policies within the ecosystem evolve.
Implementation:
This Log is based on our Golang implementation of Certificate Transparency. The open source version of this code can be found at: