On 2015-06-09 15:26, Peter Kurrasch wrote:
3) How frequently might such tools run? Or to put it differently, how much time do I probably have between when I issue a gmail cert and when someone figures it out (and of course how much longer before my illegitimate cert is no longer valid)? I need only 24 hours to do all the damage I want, but in a pinch I'll make do with 8.
CT allows to store precertificate. That is, the CA says it intents to issue a certificate. Should we mandate the use of precertificates and a minimum time between the precertificate and the real certificate?
Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
