google · idrysdale · Dec 21, 2020 · Dec 21, 2020 · Dec 21, 2020 · Dec 21, 2020
@@ -46,7 +46,13 @@ $palettes: (
     "mid": #D6FFF8,
     "dark": #00B3B2,
     "full": #178270
-  )
+  ),
+  markdown: (
+    "tint": #fafaff,
+    "mid": #e5e5ff,
+    "dark": #7575f0,
+    "full": #3333cc
+  ),
 );
 
 @each $page, $colors in $palettes {

@@ -17,3 +17,4 @@
 @import 'logtable.scss';
 @import 'community.scss';
 @import 'actors.scss';
+@import 'markdown.scss';
@@ -0,0 +1,116 @@
+.markdown {
+  margin-bottom: 10rem;
+
+  @include md {
+    width: 75%;
+    margin-left: 12.5%;
+  }
+
+  nav {
+    ul {
+      list-style: decimal;
+      font-family: $font-mono, monospace;
+      line-height: 1.75rem;
+      margin-left: 0;
+      margin-top: 0;
+      li {
+        margin-bottom:0;
+        margin-left: 0;
+        a {
+          color: map-get(map-get($palettes, "markdown"), "full");
+        }
+      }
+    }
+  }
+
+  .markdown-heading {
+    margin: 4rem 0 4rem 0;
+
+    h4 {
+      font-family: $font-mono, monospace;
+      font-weight: bold;
+      font-size: 1rem;
+      margin: 0;
+      line-height: 1.75rem;
+      padding-bottom: 0;
+    }
+  }
+
+  h1 {
+    margin: 0 0 2rem;
+    font-size: 3rem;
+    letter-spacing: -0.04em;
+    font-weight: 800;
+    line-height: 1.1;
+
+    @include sm {
+      font-size: 2.6rem;
+      br {
+        display: none;
+      }
+    }
+
+    @include md {
+      margin: 0 0 1rem;
+    }
+  }
+
+  h2 {
+    font-weight: 600;
+    line-height: 1;
+    color: $col-greyish;
+    line-height: 115%;
+    letter-spacing: -0.035em;
+    font-size: 1.6rem;
+    font-weight: 700;
+
+    @include sm {
+      margin: 9.5vw 0 4.75vw 0;
+      // padding: 0 1rem;
+      padding: 0;
+    }
+    @include md {
+      margin: 3.5rem 0 1rem 0;
+    }
+  }
+
+  h3 {
+    font-weight: 700;
+    margin: 2rem 0 1rem;
+    font-size: 1.3rem;
+    letter-spacing: -0.035em;
+    line-height: 105%;
+    color: $col-greyish;
+  }
+
+  p, li {
+    margin: 0 0 1rem;
+    font-family: $font-mono, monospace;
+    font-size: 0.8rem;
+    line-height: 1.75;
+  }
+}
+
+.log-callout {
+    padding: 10px 12px;
+    border: 1px solid $col-black;
+    border-radius: 2px;
+    margin-bottom: 24px;
+    background: map-get(map-get($palettes, "markdown"), "tint");
+    h4 {
+      font-weight: 700;
+      letter-spacing: -0.035em;
+      margin: 0.5rem 0;
+      font-size: 1rem;
+      color: $col-black;
+    }
+    p {
+      font-family: $font-mono, monospace;
+      font-size: 0.8rem;
+      margin: 0 0 0;
+      &:last-child {
+        margin: 0;
+      }
+    }
+}
+
@@ -0,0 +1,91 @@
+---
+title: Getting Started
+url: /getting-started
+layout: markdown
+show_table_of_contents: true
+---
+
+So you want to get on board with Certificate Transparency? The steps you should
+take depend on your role. Are you doing so on behalf of a website, certificate
+authority (CA) or user agent (e.g. a browser)?
+
+## Website
+
+**Most website operators shouldn't need to do anything** - your CA should have
+submitted your HTTPS certificate to a suitable number of CT logs and embedded
+SCTs in the certificate before giving it to you. However, if you'd like to check
+this for yourself, you can do so using Google Chrome. Open Chrome's developer
+tools (under "More tools" in the Chrome menu) and switch to the security tab.
+Browse to your website, then click on its URL under "Main origin" (on the left,
+in the security tab). This will display security information about your website.
+Towards the bottom, there will be a section titled "Certificate Transparency",
+which will list the SCTs provided by your website. If this section is not
+displayed, then your website did not provide any SCTs and is not compliant with
+Certificate Transparency. Otherwise, you can compare the listed SCTs with
+Chrome's policy to check whether the provided SCTs are sufficient.
+
+![Show Chrome SCTs](/img/markdown/chrome_scts.png "Chrome SCTs")
+
+## CA
+
+A certificate authority can generate pre-certificates and submit them to CT logs
+in order to embed [SCTs](https://certificate.transparency.dev/howctworks) in
+the certificates they provide to their customers. So long as these SCTs are
+compliant with the CT policies of browsers (e.g.
+[Chrome's policy](https://github.com/chromium/ct-policy/blob/master/ct_policy.md#qualifying-certificate),
+their customers should not need to do anything in order to benefit from
+Certificate Transparency. The process for generating a pre-certificate is
+described in [RFC6962](https://tools.ietf.org/html/rfc6962#section-3.1) and
+implemented in most certificate issuance software. There is some value in also
+logging the final issued certificate, as it allows CT monitors to see which SCTs
+were embedded in it and thereby determine the impact of a CT log being
+distrusted by a user agent.
+
+The Chrome team usually insist that any CT log trusted by Chrome is operated in
+a fair, open manner. This means they should accept certificates issued by any
+root certificate in the major root stores (managed by Microsoft, Apple and
+Mozilla) and have reasonable rate limits. Therefore, it should be possible to
+immediately begin submitting to most, if not all, of the logs in
+[Chrome's log list](https://source.chromium.org/chromium/chromium/src/+/master:components/certificate_transparency/data/log_list.json),
+so long as your root certificate is in one of these stores. You can find out
+which root certificates are trusted by a CT log by downloading its
+[/ct/v1/get-roots](https://tools.ietf.org/html/rfc6962#section-4.7) response.
+However, note that it takes around 6 months for updates to Chrome's log list to
+reach most of its users, so relying on SCTs from recently-added CT logs may
+cause a certificate to only satisfy Chrome's policy in the latest version of
+their browser.
+
+### Testing
+
+Many CT log operators run test logs for CAs to perform integration testing
+against, e.g. -
+[Google's testtube log](certificate.transparency.dev/known-logs) -
+[Comodo's Dodo log](https://github.com/Comodo-CA/CTLogs-AcceptedRoots) -
+[Let's Encrypt's Testflume log](https://letsencrypt.org/docs/ct-logs/)
+
+These are typically free to use but require that you send them your root
+certificate first. They may have additional requirements as well, e.g. that the
+root certificate's subject contains the word "test".
+
+## User Agent
+
+There are a few things that a user agent can do to improve security for their
+users using Certificate Transparency.
+
+### Verifying SCTs
+
+The simplest thing that a user agent can do is verify that a certificate is
+accompanied by a reasonable number of
+[SCTs](https://certificate.transparency.dev/howctworks) with valid signatures.
+This requires [a list of trusted CT logs] containing their public keys.
+
+### Checking a certificate for inclusion in CT logs
+
+A user agent can confirm that an SCT has been honoured (an SCT is a promise to
+include a certificate in a log) by requesting an inclusion proof from the CT log
+that issued it. This requires having an STH (signed tree head) from that CT log
+that is newer than the SCT by at least that log's MMD (maximum merge delay).
+Requesting an inclusion proof may compromise the user's privacy (by revealing to
+that CT log that the user visited the website with the corresponding
+certificate) so a privacy-preserving method of requesting the proof should be
+used. This is an area of active research at Google, as well as in academia.
@@ -0,0 +1,102 @@
+---
+title: Google / Known Logs
+url: /google
+layout: markdown
+aliases:
+  - /known-logs
+---
+
+# Known Logs
+
+The list of CT Logs that are currently compliant with Chrome's CT policy (or
+have been and were disqualified), and are **included in Chrome**:
+https://www.gstatic.com/ct/log_list/v2/log_list.json
+
+`log_list.json` is signed by Google, the signature being hosted at:
+https://www.gstatic.com/ct/log_list/v2/log_list.sig
+
+`log_list.json` and the corresponding log_list.sig can also be obtained by
+downloading the zip file containing both of them, found at:
+https://www.gstatic.com/ct/log_list/v2/log_list.zip
+
+The public key to verify `log_list.sig` can be found at:
+https://www.gstatic.com/ct/log_list/v2/log_list_pubkey.pem
+
+The list of all known and announced CT Logs:
+https://www.gstatic.com/ct/log_list/v2/all_logs_list.json
+
+Both `log_list.json` and `all_logs_list.json` conform with the following schema:
+https://www.gstatic.com/ct/log_list/v2/log_list_schema.json
+
+To check whether Logs are currently **pending inclusion in Chrome**, check the
+Chromium inclusion bugs:
+[https://crbug.com/?q=component%3AInternals>Network>CertTrans](https://crbug.com/?q=component%3AInternals>Network>CertTrans)
+
+## Special Purpose Logs
+
+{{< log-callout url="https://ct.googleapis.com/daedalus/" base64LogID="HQJLjrFJizRN/YfqPvwJlvdQbyNdHUlwYaR3PEOcJfs=" operator="Google" contact="google-ct-logs@googlegroups.com" >}}
+
+Daedalus is not trusted by Chrome. It only logs certificates that have expired.
+See the announcement post [announcement post](https://groups.google.com/forum/#!topic/certificate-transparency/GUgWzCSN30I).
+
+{{< log-callout url="https://ct.googleapis.com/submariner/" base64LogID="qJnYeAySkKr0YvMYgMz71SRR6XDQ+/WR73Ww2ZtkVoE=" operator="Google" contact="google-ct-logs@googlegroups.com" >}}
+
+Submariner is not trusted by Chrome. It only logs certificates that chain to
+roots that are on track for inclusion in browser roots or were trusted at some
+previous point
+[announcement blog post](https://security.googleblog.com/2016/03/certificate-transparency-for-untrusted.html).
+
+## Test Logs
+
+These logs are intended for **testing purposes only** and will only log
+certificates that chain to a test root explicitly added to it.
+
+To add a test root to the Google test Logs, please email
+`google-ct-logs@googlegroups.com`
+
+A test root should:
+
+1.  have a certificate `Subject` field that:
+
+    a) includes the word `test`, `dev`, `demo` or `staging` (to reduce the
+    chance of real certificates being mixed up with test certificates).
+
+    b) identifies the organization that the test root is for (to allow easy
+    classification of test traffic).
+
+2.  not allow real certificates to chain to it, either because:
+
+    a) it is a self-signed root CA certificate identified as a test certificate
+    (as above).
+
+    b) it is an intermediate CA certificate that chains to a root certificate
+    that is also identified as a test certificate.
+
+3.  be a CA certificate, by:
+
+    a) having CA:TRUE in the Basic Constraints extension.
+
+    b) include the 'Certificate Sign' bit in the Key Usage extension.
+
+4.  be in PEM format (with a .cer or .pem extension).
+
+For historical reasons, Google's test logs include some test roots that do not
+comply with all of the above requirements.
+
+Google's test Logs are:
+
+{{< log-callout url="https://ct.googleapis.com/logs/crucible/" base64LogID="w78Dp+HKiEHGB7rj/0Jw/KXsRbGG675OLPP8d4Yw9fY=" operator="Google" contact="google-ct-logs@googlegroups.com" >}}
+
+{{< log-callout url="https://ct.googleapis.com/logs/solera2018/" base64LogID="UutLIl7IlpdIUGdfI+Q7wdAh4yFM5S7NX6h8IDzfygM=" operator="Google" contact="google-ct-logs@googlegroups.com" expiryRange="Jan 01 2018 00:00:00Z inclusive to Jan 01 2019 00:00:00Z exclusive" >}}
+
+{{< log-callout url="https://ct.googleapis.com/logs/solera2019/" base64LogID="C3YOmouaaC+ImFsV6UdQGlZEa7qIMHhcOEKZQ4ZFDAA=" operator="Google" contact="google-ct-logs@googlegroups.com" expiryRange="Jan 01 2019 00:00:00Z inclusive to Jan 01 2020 00:00:00Z exclusive" >}}
+
+{{< log-callout url="https://ct.googleapis.com/logs/solera2020/" base64LogID="H8cs5aG3mfQAw1m/+WyjkTVI6GRCIGEJUum6F3T3usc=" operator="Google" contact="google-ct-logs@googlegroups.com" expiryRange="Jan 01 2020 00:00:00Z inclusive to Jan 01 2021 00:00:00Z exclusive" >}}
+
+{{< log-callout url="https://ct.googleapis.com/logs/solera2021/" base64LogID="o8mYRegKt84AFXs3Qt8CB90nKytgLs+Y7iwS25xa5+c=" operator="Google" contact="google-ct-logs@googlegroups.com" expiryRange="Jan 01 2021 00:00:00Z inclusive to Jan 01 2022 00:00:00Z exclusive" >}}
+
+{{< log-callout url="https://ct.googleapis.com/logs/solera2022/" base64LogID="aXqvyhprU2+uISBQRt661+Dq6hPSQy5unY+zefK5qvM=" operator="Google" contact="google-ct-logs@googlegroups.com" expiryRange="Jan 01 2022 00:00:00Z inclusive to Jan 01 2023 00:00:00Z exclusive" >}}
+
+{{< log-callout url="https://ct.googleapis.com/logs/solera2023/" base64LogID="+X6XuNM+96FZAqU6GeF5kOXcQGoDGCW6rZPpj5ucacs=" operator="Google" contact="google-ct-logs@googlegroups.com" expiryRange="Jan 01 2023 00:00:00Z inclusive to Jan 01 2024 00:00:00Z exclusive" >}}
+
+{{< log-callout url="https://ct.googleapis.com/testtube/" base64LogID="sMyD5aX5fWuvfAnMKEkEhyrH6IsTLGNQt8b9JuFsbHc=" operator="Google" contact="google-ct-logs@googlegroups.com" >}}
@@ -0,0 +1,21 @@
+{{ define "main"}}
+
+<section>
+  <div class='wrap-outer'>
+    <div class='wrap'>
+      <div class='markdown'>
+        <div class='markdown-heading'>
+          <h1>{{ .Title }}</h1>
+          {{ if .Params.show_table_of_contents }}
+            <h4>Contents:</h4>
+            {{ .TableOfContents }}
+          {{ end }}
+        </div>
+        <div class="markdown-content">
+          {{ .Content }}
+        </div>
+    </div>
+  </div>
+</div>
+
+{{end}}
@@ -0,0 +1,25 @@
+{{/*
+    Copyright 2020 Google LLC
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        https://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+  */}}
+
+  <div class="log-callout">
+    <h4>{{ .Get "url" }}</h4>
+    <p>Base64 Log ID: {{ .Get "base64LogID" }}</p>
+    {{ if .Get "expiryRange" }}
+    <p>{{ .Get "expiryRange" }}</p>
+    {{ end }}
+    <p>Operator: {{ .Get "operator" }}</p>
+    <p>Contact: {{ .Get "contact" }}</p>
+</div>