The goal of Apple's Certificate Transparency log program is to establish a set of Certificate Transparency (CT) logs that are trusted on Apple's platforms to provide Signed Certificate Timestamps (SCT) for publicly trusted TLS server authentication certificates.
Program policies and requirements
To be considered for inclusion in Apple's Certificate Transparency log program, logs must meet all of the following requirements:
- Log instances must implement CT as specified by RFC6962.
- A log must not present two or more conflicting views of the Merkle Tree at different times and/or to different parties.
- The Maximum Merge Delay (MMD) for logs is 24 hours.
- A log must incorporate a certificate that it created an SCT for within the MMD.
- A log instance must meet Apple's uptime requirement of 99%, as measured by Apple.
- No log outage can last longer than the MMD.
- A log must accept certificates that are issued by Apple's compliance root CA to monitor the log's compliance with these policies.
- Logs must trust all root CA certificates included in Apple's trust store. Logs are allowed to trust additional roots that might not be included in Apple's trust store.
A maximum of three qualified or usable log instances is allowed per operator. For logs without certificate expiration restrictions, an instance is represented as a URL and log signing key. For logs with certificate expiration restrictions, a set of time-sharded logs counts as a single instance. Here's an example of a single-log instance running four time shards:
Company A 'Loggy 2020' log: accepts certificates that expire between 2020-01-01 00:00:00 UTC - 2021-01-01 00:00:00 UTC
Company A 'Loggy 2021' log: accepts certificates that expire between 2021-01-01 00:00:00 UTC - 2022-01-01 00:00:00 UTC
Company A 'Loggy 2022' log: accepts certificates that expire between 2022-01-01 00:00:00 UTC - 2023-01-01 00:00:00 UTC
Company A 'Loggy 2023' log: accepts certificates that expire between 2023-01-01 00:00:00 UTC - 2024-01-01 00:00:00 UTC
States of logs on Apple's platforms
Logs that are included on Apple's platforms can be in one of the following states:
The log has requested inclusion in Apple's trusted log list, but hasn't been accepted yet. A pending log doesn't count as "currently qualified" or "once qualified."
The log has been accepted in Apple's program and set for distribution to Apple's platforms. A qualified log counts as "currently qualified."
SCTs from the log can be relied on to meet Apple's client CT policy. A usable log counts as "currently qualified." Logs transition from qualified to usable after a minimum of 74 days in the qualified state.
The log is trusted on Apple's platforms but is read-only — i.e., the log has stopped accepting certificate submissions. A frozen log counts as "currently qualified."
The log was trusted on Apple's platforms until the specific retirement timestamp. A retired log counts as "once qualified" if the SCT in question was issued before the retirement timestamp. A retired log doesn't count as "currently qualified."
The log is not and will not be trusted on Apple's platforms. A rejected log doesn't count as "currently qualified" or "once qualified."
After a log is accepted into Apple's Certificate Transparency log program, a 90-day monitoring period checks the log for compliance with Apple's policy. During this time, the log state is "pending."
Apple can reject any log at its discretion. If this happens, the log state becomes "rejected." If Apple finds no issues during the monitoring period, the log can be accepted, at which time the log state becomes "qualified."
Apple monitors the log on an ongoing basis for compliance with log program policies. A log's state during this time can be "qualified," "usable," "frozen," or "retired."
A log can be retired at any time, at Apple's discretion or as a result of failure to comply with log program policies. The log's state then becomes "retired."
Apply for inclusion
To apply for inclusion in Apple's CT log program, email email@example.com and include the following:
- The log's description
- The policy for accepting certificates, including a list of accepted root certificates by Subject DN and SHA256 fingerprint
- The policy for rejecting certificates for logging
- The log's MMD
- Contact information, including email addresses and phone numbers for two operator operations contacts and two operator representative contacts
- A publicly accessible CT log server URL (HTTP)
- A CT log public key (DER encoding of the SubjectPublicKeyInfo ASN.1 structure)