CTPolicy: always try to get SCTs from a tiled log first#8676
Open
aarongable wants to merge 2 commits intomainfrom
Open
CTPolicy: always try to get SCTs from a tiled log first#8676aarongable wants to merge 2 commits intomainfrom
aarongable wants to merge 2 commits intomainfrom
Conversation
Contributor
|
Given that we (at least for now) require at least one non-Tiled log, should we have a similar loop for the case when both of the first two are a tiled log? |
Contributor
Author
|
I considered it, but that requirement goes away in one month (April 15, 2026), so I decided it wasn't worth the extra complication. We won't be submitting to two tiled logs any more often than we do today (the loop doesn't haul one to the front if a tiled log is already there), so we're not gaining any inefficiency in that regard. |
beautifulentropy
previously approved these changes
Mar 13, 2026
Contributor
Only for Chrome's program - Apple still requires one RFC6962 log in https://support.apple.com/en-ca/103214 |
mcpherrinm
reviewed
Mar 13, 2026
aarongable
commented
Mar 13, 2026
Co-authored-by: Matthew McPherrin <[email protected]> Co-authored-by: Aaron Gable <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The Mozilla root program would really appreciate it if more certificates contained SCTs from tiled logs. This is because their revocation mechanism, CRLite, can only return a definitive answer for the status of a certificate after the MMD of at least one SCT on that cert has passed. Once the MMD has passed, CRLite can guarantee that it has included the cert in the total cert population while constructing its clubcard filters, and therefore can prevent any false positives or negatives for that cert. But RFC 6962 log typically have MMDs of 24h, while static logs have MMDs of ~1s (and are much easier for the CRLite infrastructure to read from), so CRLite works better when more certs have SCTs from static logs.
Today, we treat tiled (static-ct-api) and untiled (rfc 6962) logs nearly the same when submitting precerts to get SCTs. We shuffle them together, pick two, attempt to get SCTs for a couple seconds, and if one or both are too slow, attempt to get SCTs from other logs further down the shuffled list.
However, this doesn't actually result in a large proportion of our certs having static SCTs, for two reasons. First, there just aren't that many static logs: of the 11 logs we get SCTs from, only 4 are tiled. So simple statistics dictate that only about 36% of our certs will have one static SCT. Second, static logs have a slower write path, so we're more likely to give up on a submission to a static log and move on to attempting to submit to an RFC 6962 log instead.
In order to give our certs a higher chance of containing an SCT from a static log, always ensure that a tiled log appears in the first two logs we submit to. This won't be a guarantee -- that log could be slow and we could get SCTs from the second and third logs in the shuffled list -- but it should bump our static SCT population from 36% to somewhere north of 90%.