On Thu, Oct 29, 2015 at 02:17:35PM +0100, Kurt Roeckx wrote:
> On 2015-10-28 22:30, Kathleen Wilson wrote:
> >According to the article, here is what Google is requiring of Symantec:
> >
> >1) as of June 1st, 2016, all certificates issued by Symantec itself will
> >be required to support Certificate Transparency
>
> I know this is directly copied from their blog about this, but I wonder what
> it means for a certificate to support CT. Is the requirement really that
> all certificates need to published in CT?
Yes, I'd say that's the intention. Further, I'll wager that Chromium will
refuse to trust a certificate issued after the cutoff date which chains to a
Symantec root, unless it is presented with sufficient SCTs to qualify under
Chromium's CT policy. If Google's *really* playing hardball, they may
require all existing Symantec certs to be enumerated for a whitelist, and
will refuse to trust the notBefore date, similar to how existing EV certs
were grandfathered.
- Matt
--
Of course, I made the mistake of showing [a demo application] off to my boss,
who showed it off to his boss, and suddenly I couldn't reboot my desktop box
without getting a change control approved.
-- Derick Siddoway, in a place that doesn't exist
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
