They're not non-compliant, and they don't need to be revoked. This is because, so far, browsers have kept their Root Program Policy and their CT Log Policy separate.
However, these certificates may not work in all browsers, so they probably should be replaced. And some root programs are moving to include more specific CT logging requirements in their Root Program Policies, so this might become a misissuance in the near future. Aaron On Tue, Dec 2, 2025, 22:00 Arabella Barks <[email protected]> wrote: > Hi all webPKI experts, > > Do you consider the certificates using the {Argon, Xenon, Sphinx, Wyvern} > 2027H1 embedded SCT to be non-compliant? > > Regards, > Ara. > On Wednesday, December 3, 2025 at 1:01:08 PM UTC+8 Chya-Hung Tsai wrote: > >> Hi all, >> >> TWCA is aware of this issue. The root cause was an oversight in our CA >> implementation regarding the monitoring of CT log server status. >> >> We have since implemented a fix by temporarily disabling log servers that >> are in the 'Qualified' state to prevent the situation from escalating. >> Furthermore, we have completed the assessment of potentially affected >> certificates and are currently contacting users for certificate reissuance, >> even though the exact degree of browser impact remains uncertain at this >> time >> Regards, >> >> ChyaHung Tsai >> TWCA >> >> Rob Stradling 在 2025年12月3日 星期三清晨7:26:21 [UTC+8] 的信中寫道: >> >>> Over at ct-policy, Andrew has posted some further analysis >>> <https://groups.google.com/a/chromium.org/g/ct-policy/c/VGgpEj92dCk/m/Y_rN35ZKBwAJ> >>> on >>> this topic. Several CAs are making mistakes when choosing which CT logs to >>> embed SCTs from. >>> >>> And today I've announced ctlint >>> <https://groups.google.com/a/chromium.org/g/ct-policy/c/UfP61eIEawQ/m/pson2ABfBwAJ>, >>> a certificate/precertificate linting tool that checks for CT compliance. >>> Using crt.sh's integration with pkimetal and pkimetal's new integration >>> with ctlint, here's what ctlint reports for Arabella's example that started >>> this thread: >>> >>> https://crt.sh/?id=22863122821&opt=pkimetal >>> "ctlint v0.0.0-20251202204249-6806d5396dad: >>> WARNING: SCT list contains fewer approved SCTs than required by the >>> Apple CT Policy >>> WARNING: SCT list satisfies the Chrome CT Policy using at least 1 SCT >>> from a Qualified log that is not yet Usable >>> INFO: An SCT has a valid signature >>> INFO: An SCT has a valid signature >>> INFO: An SCT has a valid signature" >>> >>> On Tuesday, December 2, 2025 at 7:41:17 PM UTC Andrew Ayer wrote: >>> >>>> On Tue, 2 Dec 2025 11:31:16 -0500 >>>> Andrew Ayer <[email protected]> wrote: >>>> >>>> > Usable means that the log is expected to work in up-to-date clients, >>>> but there are still out-of-date clients in which it won't work. >>>> >>>> Correction: *Qualified* means that the log is expected to work in >>>> up-to-date clients, but there are still out-of-date clients in which it >>>> won't work. >>>> >>> -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/223785d7-168b-48e7-9219-43d8f8937703n%40mozilla.org > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/223785d7-168b-48e7-9219-43d8f8937703n%40mozilla.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErfjeb-7caR2b9Fj4CmV_e%3DdoemkbeHg_FnSvb5ZVfr9XQ%40mail.gmail.com.
