I have been learning certificate transparency recently, but I am not very clear about the differences and relationship between v1, v2 and Sunlight logs.
What I currently learnt is:
CTv1 is described in RFC6962 which is published in June 2013, the implementation is often referred to as 'Trillian' logs, perhaps it's because most log operators are using trillian to run the log?
CTv2 is described in RFC9162 which is published in December 2021, and it obsoletes CTv1 (RFC6962). AFAIK, CTv2 is not just a minor upgrade of CTv1, as its data structure has changed and the pre-certificate format has been changed to CMS signed data, both of which are really different from CTv1.
Sunlight log is introduced by Let's Encrypt in March this year, in partnership with Filippo Valsorda. What I learnt is that Sunlight logs have CTv1-compatible write path API endpoints, and only read path API endpoints differ from CTv1. The data structure it used can be seen as another representation of the same data that CTv1 uses, so it is possible to use some proxy servers to turn a Sunlight log into a fully CTv1-compatible log.
I'm not sure whether I understood these logs correctly, and please correct me if possible.
What I felt confusing is, it seems to me that CTv2 (RFC9162) have not been adopted at all.
When I search for Certificate Transparency, most pages, including CAs (e.g. Digicert) and Certificate Consumers (e.g. Mozilla), are referencing RFC9162 as the standard that defined CT.
However, All CT logs I could find only has <Base URL>/ct/v1/get-sth
endpoint, none of them has the <Base URL>/ct/v2/get-sth
endpoint. (Indeed, I understand it is impossible for a log to be both CTv1 and CTv2)
Another clue is that, not a single CTv2 LogID (oid) has been assigned by IANA - LogIDs, so I think no one has actually operated a CTv2-compatiable log at all, and I'm not possible to find one.
So have a few questions about these CT logs:
-
What is the current adoption status of RFC9162 CTv2 logs? Has anyone actually operated a CTv2 log?
-
Both RFC6962 and RFC9162 are Experimental RFCs, so I think they are of the same level of formality. So why don't the industry upgrade to the newer standard? It is so weird that it is even difficult to find discussions about CTv2 online.
-
Is it unreasonable for RFC9162 to obsolete RFC6962? CTv1 and CTv2 can be two different standards, and it can be extremely misleading for beginners to learn the widely adopted CTv1 internals.
-
Why even newly developed CT logs like Sunlight is still based on CTv1? Is it just to ensure compatibility with existing CTv1 ecosystem CAs and auditors?
I have searched extensively but have been unable to find answers to these questions. I would greatly appreciate any insights or answers the community can provide.