Over at ct-policy, Andrew has posted some further analysis <https://groups.google.com/a/chromium.org/g/ct-policy/c/VGgpEj92dCk/m/Y_rN35ZKBwAJ> on this topic. Several CAs are making mistakes when choosing which CT logs to embed SCTs from.
And today I've announced ctlint <https://groups.google.com/a/chromium.org/g/ct-policy/c/UfP61eIEawQ/m/pson2ABfBwAJ>, a certificate/precertificate linting tool that checks for CT compliance. Using crt.sh's integration with pkimetal and pkimetal's new integration with ctlint, here's what ctlint reports for Arabella's example that started this thread: https://crt.sh/?id=22863122821&opt=pkimetal "ctlint v0.0.0-20251202204249-6806d5396dad: WARNING: SCT list contains fewer approved SCTs than required by the Apple CT Policy WARNING: SCT list satisfies the Chrome CT Policy using at least 1 SCT from a Qualified log that is not yet Usable INFO: An SCT has a valid signature INFO: An SCT has a valid signature INFO: An SCT has a valid signature" On Tuesday, December 2, 2025 at 7:41:17 PM UTC Andrew Ayer wrote: > On Tue, 2 Dec 2025 11:31:16 -0500 > Andrew Ayer <[email protected]> wrote: > > > Usable means that the log is expected to work in up-to-date clients, but > there are still out-of-date clients in which it won't work. > > Correction: *Qualified* means that the log is expected to work in > up-to-date clients, but there are still out-of-date clients in which it > won't work. > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/7af1fc1e-d7e2-4dd7-bb84-f4b848ed42ban%40mozilla.org.
