On 02/09/16 21:14, John Nagle wrote: > 2. For certs under this root cert, always check > CA's certificate transparency server. Fail > if not found.
To my knowledge, CT does not have any kind of online check mechanism. SCTs can be embedded in the certificate (at the time of issuance), delivered as part of the TLS handshake or via OCSP stapling. In practice that means certificates will either have to be re-issued, or website operators need to modify their server software and configuration (not many sites currently deliver SCTs). In terms of real-world impact, you probably could just as well pull the root completely. I believe there are two possible solutions if CT enforcement is what the community decides on: 1. Enforce CT only after a certain date, after which WoSign will need to embed qualified SCTs. This check can be bypassed if the CA backdates certificates (which is problematic, given the history of backdating certificates in this particular case.) 2. Verify that the certificates either have a qualified SCT *or* are explicitly white-listed as certificates that have been issued prior to WoSign implementing CT. There are a number of possible implementations for this (Google's Safe Browsing, etc.), but they'd all require a non-trivial amount of development work. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy