Skip to content

Add cron job to fetch trusted roots for MTC #117

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lukevalenta merged 1 commit into from
Sep 26, 2025
Merged

Add cron job to fetch trusted roots for MTC #117

lukevalenta merged 1 commit into from
Sep 26, 2025

Conversation

@lukevalenta
Copy link
Contributor

@lukevalenta lukevalenta commented Sep 25, 2025

Add a cron job that runs once per day and updates trusted roots for MTC.

Remove the option to manually load in roots for the MTCA, and exclusively use the CCADB list.

Substantiative differences from the static CT's CCADB cron job:

  • Instead of using the union of trusted roots from a manually supplied roots file and various root stores, we use the intersection of the Chrome and Mozilla trust stores, since Chrome needs to validate bootstrap chains, and we're using Mozilla's CRLite filters for revocation checks.
  • Instead of making the trusted roots append-only, the roots list is pruned. (If Chrome removes a trusted root, we want to remove it as well.)
  • Instead of each log shard storing its own roots file in KV, we just use a single file, since we're just staying in sync with the CCADB list.
  • Don't import the 'CT Monitoring' root.

@lukevalenta
Add cron job to fetch trusted roots for MTC
5f13174 
Add a cron job that runs once per day and updates trusted roots for MTC.

Remove the option to manually load in roots for the MTCA, and
exclusively use the CCADB list.

Substantiative differences from the static CT's CCADB cron job:
- Instead of using the union of trusted roots from a manually supplied
  roots file and various root stores, we use the intersection of the
  Chrome and Mozilla trust stores, since Chrome needs to validate
  bootstrap chains, and we're using Mozilla's CRLite filters for
  revocation checks.
- Instead of making the trusted roots append-only, the roots list is
  pruned. (If Chrome removes a trusted root, we want to remove it as
  well.)
- Instead of each log shard storing its own roots file in KV, we just
  use a single file, since we're just staying in sync with the CCADB
  list.
- Don't import the 'CT Monitoring' root.
@lukevalenta lukevalenta self-assigned this Sep 25, 2025
@lukevalenta lukevalenta added the mtc Merkle Tree Certificates label Sep 25, 2025
@lukevalenta lukevalenta merged commit 121d8a8 into main Sep 26, 2025
1 check passed
@lukevalenta lukevalenta deleted the lvalenta/mtc-roots-cron branch September 26, 2025 13:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bwesterb bwesterb bwesterb approved these changes

@rozbb rozbb Awaiting requested review from rozbb

@cjpatton cjpatton Awaiting requested review from cjpatton

Assignees

@lukevalenta lukevalenta

Labels

mtc Merkle Tree Certificates

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lukevalenta @bwesterb