boulder icon indicating copy to clipboard operation
boulder copied to clipboard
verified publisher icon letsencrypt

Update CT log policy logic

Open pgporada opened this issue 3 years ago • 1 comments

https://groups.google.com/a/chromium.org/g/ct-policy/c/507lPdbbwSk

The following changes will take effect in Chrome 100, which is scheduled to be released on 29 March 2022:

For certificates issued on-or-after 15 April 2022 (2022-04-15T00:00:00), it is no longer required that certificates are accompanied by SCTs from a Google-operated CT log. Instead, there must be SCTs from at least 2 distinct CT log operators as specified in the Chrome CT log list.

The Apple CT policy does not implement the One Google CT Log policy so we're fine there.

The relevant boulder-ra section is https://github.com/letsencrypt/boulder/blob/main/cmd/boulder-ra/main.go#L78-L83

pgporada avatar Feb 10 '22 22:02 pgporada

We actually need to do a little more here. Right now we submit to five logs:

  • Google Xenon, Google Argon
  • Sectigo Mammoth, Cloudflare Nimbus, Let's Encrypt Oak

We can issue certificates with pairs of SCTs like [Xenon, Mammoth], [Argon, Nimbus], etc. But never [Mammoth, Nimbus] or [Xenon, Argon].

As of tomorrow, under the new policy, it will be okay to issue certificates with pairs of SCTs from purely non-Google logs, like [Mammoth, Nimbus]. But it will still not be okay to issue a certificate with a pair of SCTs from a single log operator. Currently the only log operator that has multiple logs in our submission list is Google. So it still won't be okay to issue a certificate with a pair of SCTs from [Xenon, Argon].

Fortunately, so long as we maintain the Google / non-Google log groups distinction, our certificates will still meet the rules. But to take maximum advantage of Chrome's new policy to boost our availability, we will need to change our log submission code to be aware of "operators" (grouping that apply an "at most 1" rule for SCTs) rather than "log groups" (groupings that apply an "at least 1" rule for SCTs).

I also filed an issue against certificate-transparency-go for implementing the new policy: https://github.com/google/certificate-transparency-go/issues/906. This doesn't necessarily affect us, since we own our own submission logic, but if ct-go implements the new submission logic, we might switch to theirs.

jsha avatar Apr 14 '22 19:04 jsha

These changes were deployed to production on October 4th. I've begun removing the dead codepaths alongside #6435.

beautifulentropy avatar Nov 02 '22 23:11 beautifulentropy