On 2016-10-14 03:20, Matt Palmer wrote:
On Thu, Oct 13, 2016 at 09:49:50AM -0700, Kathleen Wilson wrote:
5. 100% embedded CT for all issued certificates, with embedded SCTs from
at least one Google and one non-Google log not controlled by the CA.
Will there be any requirements around the qualification status of the logs,
or could anyone who wanted to be "nice" just stand up a log, and have these
CAs obtain precerts from them?
I would suggest to use the same qualification criteria as Google uses
for Chromium
(https://www.chromium.org/Home/chromium-security/certificate-transparency/log-policy).
The requirement are otherwise more strict that what Chromium uses, it
does not require them to be embedded, and they can operate the log
themselves. See
https://www.chromium.org/Home/chromium-security/root-ca-policy/CTPolicyMay2016edition.pdf
Kurt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
