On 2/8/16 1:07 PM, Peter Bowen wrote:
On Mon, Feb 8, 2016 at 12:18 PM, Kathleen Wilson <kwil...@mozilla.com> wrote:
We recently added two tests that CAs must perform and resolve errors for
when they are requesting to enable the Websites trust bit for their root
certificate.
Test 1) Browse to https://crt.sh/ and enter the SHA-1 Fingerprint for the
root certificate. Then click on the 'Search' button. Then click on the 'Run
cablint' link. All errors must be resolved/fixed.
Kathleen,
As I understand it, the currently policy for most CT logs (which is
where crt.sh gets data) is that the root must already be in a root
program (Apple, Google Android/Chrome OS, Microsoft, or Mozilla) or
cross-signed by a root in those programs to be included in the log.
Correct. In such cases no cert is found, but also no errors returned.
Therefore I think it is reasonable to expect that new roots are not
included in crt.sh.
Some are in crt.sh -- especially for those CAs who are new to Mozilla's
program.
I'm assuming the second test checks the uploaded
root certificate, so that should be sufficient for testing.
I could be wrong, but I think there is value in both tests, especially
for those CAs who are in other root programs, and not yet in Mozilla's
root program.
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
