On Thu, Oct 29, 2015 at 02:17:35PM +0100, Kurt Roeckx wrote: > On 2015-10-28 22:30, Kathleen Wilson wrote: > >According to the article, here is what Google is requiring of Symantec: > > > >1) as of June 1st, 2016, all certificates issued by Symantec itself will > >be required to support Certificate Transparency > > I know this is directly copied from their blog about this, but I wonder what > it means for a certificate to support CT. Is the requirement really that > all certificates need to published in CT?
Yes, I'd say that's the intention. Further, I'll wager that Chromium will refuse to trust a certificate issued after the cutoff date which chains to a Symantec root, unless it is presented with sufficient SCTs to qualify under Chromium's CT policy. If Google's *really* playing hardball, they may require all existing Symantec certs to be enumerated for a whitelist, and will refuse to trust the notBefore date, similar to how existing EV certs were grandfathered. - Matt -- Of course, I made the mistake of showing [a demo application] off to my boss, who showed it off to his boss, and suddenly I couldn't reboot my desktop box without getting a change control approved. -- Derick Siddoway, in a place that doesn't exist _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy