Hi all,
TWCA is aware of this issue. The root cause was an oversight in our CA implementation regarding the monitoring of CT log server status. We have since implemented a fix by temporarily disabling log servers that are in the 'Qualified' state to prevent the situation from escalating. Furthermore, we have completed the assessment of potentially affected certificates and are currently contacting users for certificate reissuance, even though the exact degree of browser impact remains uncertain at this time Regards, ChyaHung Tsai TWCA Rob Stradling 在 2025年12月3日 星期三清晨7:26:21 [UTC+8] 的信中寫道: > Over at ct-policy, Andrew has posted some further analysis > <https://groups.google.com/a/chromium.org/g/ct-policy/c/VGgpEj92dCk/m/Y_rN35ZKBwAJ> > on > this topic. Several CAs are making mistakes when choosing which CT logs to > embed SCTs from. > > And today I've announced ctlint > <https://groups.google.com/a/chromium.org/g/ct-policy/c/UfP61eIEawQ/m/pson2ABfBwAJ>, > > a certificate/precertificate linting tool that checks for CT compliance. > Using crt.sh's integration with pkimetal and pkimetal's new integration > with ctlint, here's what ctlint reports for Arabella's example that started > this thread: > > https://crt.sh/?id=22863122821&opt=pkimetal > "ctlint v0.0.0-20251202204249-6806d5396dad: > WARNING: SCT list contains fewer approved SCTs than required by the Apple > CT Policy > WARNING: SCT list satisfies the Chrome CT Policy using at least 1 SCT > from a Qualified log that is not yet Usable > INFO: An SCT has a valid signature > INFO: An SCT has a valid signature > INFO: An SCT has a valid signature" > > On Tuesday, December 2, 2025 at 7:41:17 PM UTC Andrew Ayer wrote: > >> On Tue, 2 Dec 2025 11:31:16 -0500 >> Andrew Ayer <[email protected]> wrote: >> >> > Usable means that the log is expected to work in up-to-date clients, >> but there are still out-of-date clients in which it won't work. >> >> Correction: *Qualified* means that the log is expected to work in >> up-to-date clients, but there are still out-of-date clients in which it >> won't work. >> > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/e08da67e-17da-4f68-aa4b-52a034126f00n%40mozilla.org.
