Affects Version/s: None
Fix Version/s: None
Epic Name:Certificate Transparency requirements connected to Google's CT Qualification
The new CT requirements are as follows:
We currently fulfill this criteria in the slightest sense. It's possible to mark a log as "mandatory", and in the Certificate Profile demand a span of min-max logs to be written to in the mandatory/non-mandatory categories. While this works, it means that:
- All CPs must share a concept of which these two categories are
- Since "mandatory" is the same is Google, it lobs all other logs into the same category. This might not be desirable for a CA hosting multiple different customers.
- The concept of writing to a mandatory non-mandatory log is contradictory.
We should instead:
- Introduce a labeling system in System Configuration (which would in essence be Google/non-Google) which gives a bit more freedom. Each log should belong to one label and one label only. It should be possible to rename labels. It would be best avoided if possible to save labels as their own objects. (
ECA-6303, ECA-6304, ECA-6305, ECA-6307)
- In each Certificate Profile, we should add labels instead of individual logs, where at least one log line will be written to a log from each label. We should also specify a max and a min (see below for a variation on the theme). (
Additionally, the standard gives the following table for minimum number of logs to be written to:
|Lifetime of certificate||Number of SCTs from distinct logs|
|>= 15, <= 27 months||3|
|> 27, <= 39 months||4|
|> 39 months||5|
This means that the current min-value is dated, but should rather be set during issuance time based on the above table which should be configurable in System Configuration, as it can be presumed to be global. If the max value happens to be less than the derived min-value, then that exact number of logs should be written to. If the max value is blank, then the min-value is exact.
We should instead:
- Make the above table configurable in System Configuration, with the above values as default. (
- Source these values at issuance time according to the above description.