On Fri, Sep 09, 2016 at 10:25:43AM -0700, Ryan Sleevi wrote: > On Friday, September 9, 2016 at 4:42:12 AM UTC-7, Rob Stradling wrote: > > That's a good point. So, to fix my proposal... > > > > For CAs that are on (borrowing Matt's wording) "quintuple secret > > probation" due to a "history of shenanigans with notBefore dates", > > browsers could require that: > > Right, I suppose I could have been clearer - I don't think there's a > "quintuple secret probation" concept, and that promoting it as such is > probably harmful, long term, to both Mozilla users and the overall > ecosystem.
Whilst the name was somewhat tongue-in-cheek, the concept is certainly existent -- Symantec being required by Chrome to pre-log all certs issued was the precedent I had in mind. There, of course, the phased rollout was easier, because there was no indication of any notBefore shenanigans, so trusting it as an indicator of "policy requirement" was reasonable. > We shouldn't think of CT as a 'punishment' or 'probationary period'. > Transparency is just one aspect of public trust, and all CAs - whether > misissuance or not - should ideally adopt CT in a verifiable way. Oh, absolutely -- having all certs logged to CT is by far the best long-term outcome for the entire ecosystem. The future is not equally distributed, though, just yet. <grin> - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
