On Tuesday, June 9, 2015 at 7:45:05 AM UTC-7, Kurt Roeckx wrote: > On 2015-06-09 15:26, Peter Kurrasch wrote: > > 3) How frequently might such tools run? Or to put it differently, how much > > time do I probably have between when I issue a gmail cert and when someone > > figures it out (and of course how much longer before my illegitimate cert > > is no longer valid)? I need only 24 hours to do all the damage I want, but > > in a pinch I'll make do with 8. > > CT allows to store precertificate. That is, the CA says it intents to > issue a certificate. Should we mandate the use of precertificates and a > minimum time between the precertificate and the real certificate? > > > Kurt
Absolutely not. If a CA is unable to get the required minimum number of SCTs, it will likely not issue the cert (sure, it may retry, but it's possible that retries fail too). Logging must be seen as intent, but not a guarantee of issuance. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
