[CTFE] Add a /log.v3.json endpoint to help satisfy a requirement of the Chrome CT Log Policy#1703
Conversation
4277e18 to
73881f5
Compare
…he Chrome CT Log Policy
73881f5 to
b9f59b4
Compare
|
/gcbrun |
|
FYI, we've deployed the code changes in this PR to all of Sectigo's logs. |
|
/gcbrun |
trillian/ctfe/handlers.go
Outdated
| Scheme: r.URL.Scheme, | ||
| User: r.URL.User, | ||
| Host: r.URL.Host, | ||
| Path: li.instanceOpts.Validated.Config.Prefix, |
There was a problem hiding this comment.
I think that this won't work with override_handler_prefix.
trillian/ctfe/handlers.go
Outdated
| if u.Scheme == "" { | ||
| u.Scheme = "https" | ||
| } | ||
| if u.Host == "" { |
There was a problem hiding this comment.
I spoke witch a bunch of folks about it, tried to predict how this would land on various deployments. I worry that this logic makes it hard to predict what this will output when the CTFE runs behind various proxies. I don't know how I would easily test that in a production environment, nor how I would make sure that it does not change over time. Plus, this would not return a single consistent host if the log happens to be served on multiple hosts. As much as I dislike this, I see no option but to add a "host" field to the config. I would even go as far as not serving this endpoint if the "host" field does not exist in that config.
|
Thanks for the PR - noted that it works on Sectigo's logs, and that this PR is also the result of conversations on Slack (apologies for not engaging back then, I was OOO). I worry that it might not work with all deployments though, so I'm thinking that we should aim for a more predictable behaviour? |
|
/gcbrun |
1 similar comment
|
/gcbrun |
4925a94 to
613ca5f
Compare
|
/gcbrun |
Per this announcement, the Chrome CT Log Policy now requires log operators to publish various metadata for each log in a JSON object, either pasted directly into the log's inclusion bug or available via a URL.
This PR adds a
/log.v3.jsonendpoint to CTFE to help satisfy this requirement.Checklist