Embed SCT receipts in certificates #2244
Comments
|
OCSP responses already contain SCT receipts and work is underway to embed them in certificates. |
|
Uh, my bad, apparently we don't include receipts in OCSP responses. I was pretty sure we merged code to do that but apparently not. Changing title to reflect the current plan which is embedding receipts in certificates. |
rolandshoemaker
changed the title
|
Side note: usefulness of this feature (at least based on Chromium policy) is minimal until we can find a non-Google CT log that will accept our certificates. |
|
|
|
Currently I push all my certs to: ct.googleapis.com/pilot All of them accepts the certificates issued from Let's Encrypt. |
|
|
|
If https://www.chromium.org/Home/chromium-security/certificate-transparency is up to date, |
|
ctlog.wosign.com is in the M54 Release see https://bugs.chromium.org/p/chromium/issues/detail?id=605415 |
|
I just doubt |
|
If booth of StartCom and WoSign reapply for the NSS inclusion they need two logs. My last test cert from them used Aviator and Pilot. But this is a bad decission since they have there own log. But indeed Google made a new log just for Let's Encrypt "Icarus" but Let's Encrypt don't use them currently. |
|
|
|
This is correct because it is still in the 90 days monitoring phase. The Chrome Policy is planned for October 2017 so there is plentiful time over. https://bugs.chromium.org/p/chromium/issues/detail?id=632753 Google is trying to put load from the three main CT Logs see https://groups.google.com/a/chromium.org/forum/#!msg/ct-policy/2ZL4tSCwbYU/xcck3xZ8BQAJ Icarus is currently Let's Encrypt only. So the only question is which CT log is able to withstand the load from Let's Encrypt which is not operated by Google or ISRG. The active cert count is growing and we need a stable log for this. |
|
Icarus und Skydriver have passed the monitoring phase on Nov 3 and are now going it's way through canary, beta and then stable. See https://chromium.googlesource.com/chromium/src.git/+/403c8359bdc2b635d480a80329c41be422583c1f I would appreciate it if Let's Encrypt is setting up there own log. But I think it would be better for the community to have a log which is not operated from a CA, Organization or something else. I think it would be the best to use a community driven, open and auditable (registered association) log which is financed from the CA's which want there certificated added there. What do you think about this? |
Why not let a NGO host such a log? EFF, what do you say? |
|
Most likely if one of EFF or Let's Encrypt were to operate a CT log, it would be Let's Encrypt. That way Let's Encrypt could manage that log's availability as part of Let's Encrypt's own availability. However, as you point out, it's another significant cost of time for Let's Encrypt staff, that we're not currently prepared to commit to. So we're still looking for a third-party log to submit to. That said, we are starting to design the process to submit precertificates so we can embed SCTs in certificates, and plan to implement before next October. |
|
Maybe add this to https://letsencrypt.org/upcoming-features/? |
|
Is there an updated ETA for this? |
|
Currently they are only pushing the CT's to Icarus so they need the second external provided CT Log. |
|
|
|
It should be noted: this log exists for testing CT infrastructure and deployment designs, it should not be considered production quality, nor expected to maintain strict long term consistency. We will not be requesting Chrome inclusion for this log. |
|
AFAIK, this is in addition to Google's |
|
This would also be a requirement to support the upcomming |
See also https://gist.github.com/sleevi/08e578719d92d9a5a3c2e1d59839b77e
|
|
@Knight1 I believe this commit introduces code for issuing a precertificate, but it doesn't completely wire up the flow of issuing a precert, obtaining SCTs, and then embedding them in the final cert, so AFAIK there isn't anything to flip the bit on yet. |
|
Just to clarify, LE plans to only support SCTs embedded in certificates, but not in OCSP responses, correct? |
|
For now, yes. It's the simplest approach that will work for all of our users. |
|
Is there any ETA? |
|
@rugk I'm not an employee of Let's Encrypt but there is ETA here: https://letsencrypt.org/upcoming-features/
|
|
Not to be "that guy" but it's February. :) Do we have an ETA on this? |
|
I suppose they are busy with rolling out ACME v2 and wildcards... :) |
|
I look forward to an update :) |
|
https://groups.google.com/a/chromium.org/forum/#!topic/ct-policy/wHILiYf31DE End of April 2018 is not that easy since they are currently in the ACMEv2 and this does not include it nor the staging environment. But they are still on it |
|
We're working hard on it, but will probably not land this in production before the end of February. Still, we are very much aware of the upcoming deadline and committed to meeting it. Thanks for the enthusiasm everyone! :-) |
Adds SCT embedding to the certificate issuance flow. When a issuance is requested a precertificate (the requested certificate but poisoned with the critical CT extension) is issued and submitted to the required CT logs. Once the SCTs for the precertificate have been collected a new certificate is issued with the poison extension replace with a SCT list extension containing the retrieved SCTs. Fixes #2244, fixes #3492 and fixes #3429.
|
Hi, I see that you recently upgraded boulder past this commit, but I don't see it live in production yet. Is this expected (e.g. it needs flag flip)? |
|
@thestinger Great news! Thanks for sharing
|
|
Glad that this issue is resolved. FYI the URL in the prior message is 404 at the moment. https://letsencrypt.status.io/16 |
|
@science The "16" is the number of times the link has been clicked on Discourse. They just meant that when SCT embedding goes live a notice will be posted on the status page. |
|
I've edited @hickford's comment to fix the URL, which succumbed to a copy-paste bug as @georgeperez describes. |
Please add certificate information to issued certificates (or OCSP respones).
As even StartSSL/WoSign do this, you should also be able to do it. Including them in the cert (or OCSP respones) is the easiest way to do this and does not rely on the web admin to do anything.
The text was updated successfully, but these errors were encountered: