Security Research: Chrome Removes “One Google Log” Requirement from Its CT Policy

In the early days of Certificate Transparency there weren't many CT log operators, which compelled Google to require that all certificates are logged to at least one Google-operated log. Starting in March 2021, Chrome deployed and continued to improve SCT auditing, which aims to provide additional security no matter where the certificates are logged. From April 2022, Chrome will use a new CT policy that removes the “One Google Log” requirement.

SCT Auditing

To understand why the "One Google Log" requirement existed, we have to understand that, when a certificate is recorded, the CT log effectively issues a promise (in the form of a Signed Certificate Timestamp, or SCT) to publish it to the public. Although we expect that all CT logs will follow through and deliver on their promises, we need technical measures to ensure that they do.

Unfortunately, that's easier said than done. The usual way to test CT log operation is to constantly submit certificates and check if they are being published, but this only verifies correct operation when there isn't malice involved. It's still possible for multiple CT log operators to collude and hide a certificate. Such a certificate would be accepted as valid, on the account that it contains all the right SCTs.

This is where SCT auditing comes in—it enables verification of certificates actually observed in public. This additional layer of security means that fraudulent certificates—should they happen—can be discovered. Google doesn't necessarily need to see all public certificates via their CT logs. If you'd like to learn more about SCT auditing, we've written about it before on this blog. In addition, there's also a freshly-released paper from the Google team, titled SCT Auditing in Certificate Transparency that's worth a look.

Chrome's New CT Policy

Chrome's new generic CT policy that doesn't mention Google's CT logs is a big step forward for the CT ecosystem. In addition, the removal of the “One Google Log” requirement means that Google's CT logs are no longer a single point of failure, at least in theory. In practice, further CT log operators will be needed to make the system more resilient.

Chrome's new CT policy will be released with Chrome 100 on March 29th, but will apply to certificates issued from April 15th onward. When Apple updated their policy in April 2021, we wrote how it took a different approach from Chrome, leading to two major companies having different requirements. That was worrying. With Chrome's latest policy update, the CT policies are nominally the same, although both companies will continue to maintain separate CT log lists.


Yeah I think it was about time. I've always been a bit concerned with the "our Google logs need to be online, or you can't issue a certificate"-policy. It's essentialy always been a single point of failure for all CA's, ever since embedded SCTs became the standard. Google is right that there were some bad CT log operators in the past, but I believe the situation has improved a lot over the years and CT availability is much better now.

An example where a Google CT Log outage brought down Let's Encrypt is here: 2018.11.30 Production Google CT Log Submission Failures


While this part of change doesn't apply to LE, they now require 3rd CT log needed for certificates which validity periods of 180 days or longer that are embedding SCT.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.