Doesn't Oak 2020 still have unexpired certificates in it?(no it isn't)

Retiring Let’s Encrypt Testflume and Oak 2019/2020 CT shards
as LE's 90day certificate isn't only certificates ork accepts, and ork 2020's window was 2020-2021
(Is this notbefore or not after? ), 1 year certificates from other provider will be there. so I don't think it's safe enough to retire this log yet.
ork 2022 is filled so it's classed by good-til- date
not sure how many provider used STC from ork so online CT check will use ork, but in practical sense not much I guess.

3 Likes

I thought certificate shards were usually named after the expiration dates of the certificates in them, not the issuance dates. So I think anything in a 2020 shard should be expired by now? I'm really far from being an expert on CT, though.

5 Likes

As you said, ork 2022 is filled, so I guess it is classed by expire date

3 Likes

Oak 2020 no longer has valid certificates in it - they are all expired. A CT logs accepts certificates/precerts based on the nofAfter field in the cert/precert. See RFC 5280 for more information on that that field.

Each temporal CT shard is configured with a window so that no particular log can grow unbounded and become unmaintainable. You can see our configured window range for each shard at https://letsencrypt.org/docs/ct-logs/.

It's all very Dr. Who wibbly wobbly timey wimey. :timer_clock: :evergreen_tree:

7 Likes

Again, I'm far from being a CT expert, but I think in order to be all "wibbly wobbly timey wimey" one would need to both set phasers to stun and use the --force when getting the certificate.

6 Likes

Is it ORK or OAK ?
LUL

4 Likes

Each log can set its own policies (though of course if your policies aren't acceptable to at least Google it seems pointless to operate a public log), but it's correct that the policies used to shard popular named logs like Oak are based on expiry date. For example Xenon2023 (operated by Google as a shard of the Xenon group of logs) won't be seeing any normal entries for a while now because under Apple's revised rules there will be no new certificates expiring in 2023 until the end of this year, likewise Nimbus 2023 operated by Cloudflare.

The policies don't necessarily exactly match (to the day even) the apparent range, so a 2020 log might have contained certificates that expired in January 2021 for example depending on how the range was defined, I believe Oak has a week overlap, so certificates expiring on 5 January 2021 might have been in Oak 2020. Such an overlap can help avoid anything breaking on New Years morning, which is generally not a good time to get the best work from on-call IT staff.

5 Likes

Say @Phil, both of the Google-hosted CT log mirrors you linked to in your announcements post are currently giving me 404 errors! Are those URLs correct?

3 Likes

Quoth the server: 404

3 Likes

The urls are correct, but I did not add the RFC 6962 endpoint information to them.

Example:

$ curl -s https://ct.googleapis.com/logs/eu1/mirrors/letsencrypt_oak2019/ct/v1/get-sth
{"tree_size":559850441,"timestamp":1614174696273,"sha256_root_hash":"L8YCwGPzBaLlLNPfUYvBBD7+HxOlspzqauPYofrY6sg=","tree_head_signature":"BAMARzBFAiBH2+EQekg/AjWc+6ftHJ5tZ1mtUvTbVn95mW5HVoo9eQIhAJfsbJNOq5/oOrMpIK5GiNIMgkw6VwqJomqD2a/IQTKs"}

$ curl -s https://oak.ct.letsencrypt.org/2019/ct/v1/get-sth
{"tree_size":559850441,"timestamp":1614174696273,"sha256_root_hash":"L8YCwGPzBaLlLNPfUYvBBD7+HxOlspzqauPYofrY6sg=","tree_head_signature":"BAMARjBEAiAzni+WOhX8uVZnI2CWvuF2sfkgj3mQFxE+mIiBC9e01gIgGrIBRK/m2WFp22FVXiwcOYgVD39Hj5+Pt0hfpbT4QN0="}

###################

$ curl -s https://ct.googleapis.com/logs/eu1/mirrors/letsencrypt_oak2020/ct/v1/get-sth
{"tree_size":566652310,"timestamp":1614167537556,"sha256_root_hash":"5jhWRmb17hGNvwBxx9w0D9U42ZkssZqSex1Dh0vuyeU=","tree_head_signature":"BAMARzBFAiAUPeW/RdX50WEohAWXz54ofgQZoVd4f4of7FRemtcScwIhAJhZvXjVHIzqXQ8DzuZN3Fo6D1xUwwFOd4Lg6sVdpZ4e"}

$ curl -s https://oak.ct.letsencrypt.org/2020/ct/v1/get-sth
{"tree_size":566652310,"timestamp":1614167537556,"sha256_root_hash":"5jhWRmb17hGNvwBxx9w0D9U42ZkssZqSex1Dh0vuyeU=","tree_head_signature":"BAMARzBFAiAUPeW/RdX50WEohAWXz54ofgQZoVd4f4of7FRemtcScwIhAJhZvXjVHIzqXQ8DzuZN3Fo6D1xUwwFOd4Lg6sVdpZ4e"}

The tree_head_signature on each shard will change periodically until said shard is frozen.

6 Likes

Oh, thanks! Somehow I didn't understand that this was a queryable CT log mirror rather than a huge serialized database file or something.

6 Likes

Thank you for asking and causing me to triple check! :cold_sweat: :laughing:

5 Likes