On Saturday, October 1, 2016 at 9:03:38 PM UTC-7, Kurt Roeckx wrote: > On Sat, Oct 01, 2016 at 11:35:06AM -0700, Percy wrote: > > "Apple products will trust individual existing certificates issued from > > this intermediate CA and published to public Certificate Transparency log > > servers by 2016-09-19" > > > > It seems that Apple has taken the explicit white-listed approach despite > > the size drawback mentioned in the other thread. > > >From what I get, they check that it's been logged in CT. And I'm > not sure what that means, like doing an online check against at CT > log, require that the SCT has been stappled or have a whitelist. > > > Kurt
Either way, this is far better than trusting a notBefore date of the certs when the main problem of WoSign is the tampering of the notBefore date when the cover up when explicitly questioned about it. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy