Apple Certificate Transparency policy


#1

The next version of MacOS will enforce the Apple Certificate Transparent policy.

My sites using Let’s Encrypt certificates are listed in https://crt.sh/ . Is it good enough to keep them running with MacOS ?


#2

Edit: The first part of this post may be incorrect. See below.

I believe so. Let’s Encrypt currently embeds SCTs in certificates in compliance with Chrome’s CT policy. Apple’s policy is similar to Chrome’s; I don’t think there will be any issues. It’s something Let’s Encrypt will have to keep an eye on, though.

https://support.apple.com/en-us/HT205280

The only sticking point I can think of is that Chrome trusts DigiCert’s Yeti logs, while Apple’s website lists them as “pending”. I think Let’s Encrypt logs to Yeti but doesn’t yet embed SCTs from Yeti. If I’m wrong, that would be a problem.

Edit:

Being listed on crt.sh isn’t necessarily good enough. crt.sh includes some logs that aren’t trusted by Chrome or Apple. A certificate could embed SCTs from the wrong logs, or too few logs. Or a certificate could embed SCTs from zero logs at all, but still have been submitted to one or more logs after being issued.

(Incidentally, SCTs can be delivered via a TLS extension or OCSP. Issuing and logging precertificates and embedding SCTs in certificates isn’t the only way to implement CT.)

crt.sh has a useful page listing what logs it monitors, and what versions of Chrome and macOS trust them.

https://crt.sh/monitored-logs

Edit:

I was wrong, Let’s Encrypt does embed SCTs from Yeti. Hrm. I’m not saying there’s a problem, but there might be a problem.


#3

Agreed, thanks for flagging. We’ll have to figure out how to handle this.


#4

Unfortunately the list in that linked ticket is rather out of date at this point. I believe it will be updated at some time in the future but for now the canonical log list Apple publishes is hosted elsewhere: https://valid.apple.com/ct/log_list/current_log_list.json (note the format has changed considerably since the original was posted on the support ticket).

This up to date list shows that all shards of the DigiCert Yeti log are currently in the “usable” state, which matches the state they are in for Chrome.


#5

Whew. That’s good news.

Just wondering, how did you find that URL?


#6

It was shared at a recent CA/UA CT policy meeting. If you have access to Apple developer betas for macOS and iOS you can also manually verify the trusted status.


#7

Hi. I’ve just updated the Apple log list details on https://crt.sh/monitored-logs to match Apple’s canonical list (https://valid.apple.com/ct/log_list/current_log_list.json).