
A Tour Through Merkle Town, Cloudflare's Certificate Transparency Dashboard - grittygrease
https://blog.cloudflare.com/a-tour-through-merkle-town-cloudflares-ct-ecosystem-dashboard/
======
tialaramex
Log operators seem to have largely settled on the idea of sharding logs
annually by expiry date (?). This will allow a log to be "closed" to new
entries and the maintenance wound down in an orderly fashion so that logs
don't grow endlessly.

There's a fun interaction between this and changing expiration rules. Ballot
193 changed the maximum expiration to 825 days from 1 March 2018 (ie a few
weeks ago). So in February 2018 it was possible to renew a cert with, say,
DigiCert and have the new cert expire in May 2021, 39 months later (the CAs
didn't tend to sell 39 months directly to end users, they used the extra 3
months to "carry over" time when you renewed a certificate for three years,
likewise they don't now sell 825 days, they sell 2 years and just "carry over"
the extra days). Today the latest a new cert (including a renewal) could
expire is June 2020. So the 2021 logs are no longer really filling up for
another six months.

~~~
prdonahue
There's also an interesting discussion right now on ct-policy about whether a
failure in one log shard should result in disqualification of all shards that
make up that log: [https://groups.google.com/a/chromium.org/forum/#!topic/ct-
po...](https://groups.google.com/a/chromium.org/forum/#!topic/ct-
policy/UxHHWGjrr3k).

------
prdonahue
What else would you like to see on here?

We've got a couple improvements in mind, e.g., rolling up roots by ownership,
drilling into individual certificates, etc. but curious to hear what the
community would like to see.

~~~
iDemonix
A rename.

