Apple Certificate Transparency policy

Malbrouck · November 8, 2018, 12:55pm

The next version of MacOS will enforce the Apple Certificate Transparent policy.

My sites using Let’s Encrypt certificates are listed in https://crt.sh/ . Is it good enough to keep them running with MacOS ?

mnordhoff · November 8, 2018, 1:39pm

Edit: The first part of this post may be incorrect. See below.

I believe so. Let’s Encrypt currently embeds SCTs in certificates in compliance with Chrome’s CT policy. Apple’s policy is similar to Chrome’s; I don’t think there will be any issues. It’s something Let’s Encrypt will have to keep an eye on, though.

The only sticking point I can think of is that Chrome trusts DigiCert’s Yeti logs, while Apple’s website lists them as “pending”. I think Let’s Encrypt logs to Yeti but doesn’t yet embed SCTs from Yeti. If I’m wrong, that would be a problem.

Edit:

Being listed on crt.sh isn’t necessarily good enough. crt.sh includes some logs that aren’t trusted by Chrome or Apple. A certificate could embed SCTs from the wrong logs, or too few logs. Or a certificate could embed SCTs from zero logs at all, but still have been submitted to one or more logs after being issued.

(Incidentally, SCTs can be delivered via a TLS extension or OCSP. Issuing and logging precertificates and embedding SCTs in certificates isn’t the only way to implement CT.)

crt.sh has a useful page listing what logs it monitors, and what versions of Chrome and macOS trust them.

https://crt.sh/monitored-logs

Edit:

I was wrong, Let’s Encrypt does embed SCTs from Yeti. Hrm. I’m not saying there’s a problem, but there might be a problem.

cpu · November 8, 2018, 5:47pm

Agreed, thanks for flagging. We'll have to figure out how to handle this.

roland · November 9, 2018, 2:26am

Unfortunately the list in that linked ticket is rather out of date at this point. I believe it will be updated at some time in the future but for now the canonical log list Apple publishes is hosted elsewhere: https://valid.apple.com/ct/log_list/current_log_list.json (note the format has changed considerably since the original was posted on the support ticket).

This up to date list shows that all shards of the DigiCert Yeti log are currently in the “usable” state, which matches the state they are in for Chrome.

mnordhoff · November 9, 2018, 2:31am

Whew. That’s good news.

Just wondering, how did you find that URL?

roland · November 9, 2018, 3:07am

It was shared at a recent CA/UA CT policy meeting. If you have access to Apple developer betas for macOS and iOS you can also manually verify the trusted status.

robstradling · November 12, 2018, 11:06am

Hi. I’ve just updated the Apple log list details on https://crt.sh/monitored-logs to match Apple’s canonical list (https://valid.apple.com/ct/log_list/current_log_list.json).

system · December 12, 2018, 11:06am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
[Google Chrome] Announcement: Requiring Certificate Transparency in 2017 Feature Requests	3	2999	November 24, 2016
Signed Certificate Timestamps embedded in certificates API Announcements	2	19202	March 29, 2018
Upcoming Support for Google Chrome Feature Requests	2	5452	March 29, 2018
SCT feature support Issuance Tech	8	2938	April 28, 2018
Security Research: Chrome Removes “One Google Log” Requirement from Its CT Policy Issuance Policy	3	858	April 16, 2022

Apple Certificate Transparency policy

Related topics