Hi all webPKI experts,
Do you consider the certificates using the {Argon, Xenon, Sphinx, Wyvern}
2027H1 embedded SCT to be non-compliant?
Regards,
Ara.
On Wednesday, December 3, 2025 at 1:01:08 PM UTC+8 Chya-Hung Tsai wrote:
> Hi all,
>
> TWCA is aware of this issue. The root cause was an oversight in our CA
> implementation regarding the monitoring of CT log server status.
>
> We have since implemented a fix by temporarily disabling log servers that
> are in the 'Qualified' state to prevent the situation from escalating.
> Furthermore, we have completed the assessment of potentially affected
> certificates and are currently contacting users for certificate reissuance,
> even though the exact degree of browser impact remains uncertain at this
> time
> Regards,
>
> ChyaHung Tsai
> TWCA
>
> Rob Stradling 在 2025年12月3日 星期三清晨7:26:21 [UTC+8] 的信中寫道:
>
>> Over at ct-policy, Andrew has posted some further analysis
>> <https://groups.google.com/a/chromium.org/g/ct-policy/c/VGgpEj92dCk/m/Y_rN35ZKBwAJ>
>> on
>> this topic. Several CAs are making mistakes when choosing which CT logs to
>> embed SCTs from.
>>
>> And today I've announced ctlint
>> <https://groups.google.com/a/chromium.org/g/ct-policy/c/UfP61eIEawQ/m/pson2ABfBwAJ>,
>>
>> a certificate/precertificate linting tool that checks for CT compliance.
>> Using crt.sh's integration with pkimetal and pkimetal's new integration
>> with ctlint, here's what ctlint reports for Arabella's example that started
>> this thread:
>>
>> https://crt.sh/?id=22863122821&opt=pkimetal
>> "ctlint v0.0.0-20251202204249-6806d5396dad:
>> WARNING: SCT list contains fewer approved SCTs than required by the
>> Apple CT Policy
>> WARNING: SCT list satisfies the Chrome CT Policy using at least 1 SCT
>> from a Qualified log that is not yet Usable
>> INFO: An SCT has a valid signature
>> INFO: An SCT has a valid signature
>> INFO: An SCT has a valid signature"
>>
>> On Tuesday, December 2, 2025 at 7:41:17 PM UTC Andrew Ayer wrote:
>>
>>> On Tue, 2 Dec 2025 11:31:16 -0500
>>> Andrew Ayer <[email protected]> wrote:
>>>
>>> > Usable means that the log is expected to work in up-to-date clients,
>>> but there are still out-of-date clients in which it won't work.
>>>
>>> Correction: *Qualified* means that the log is expected to work in
>>> up-to-date clients, but there are still out-of-date clients in which it
>>> won't work.
>>>
>>
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/223785d7-168b-48e7-9219-43d8f8937703n%40mozilla.org.
